flow-development-collection icon indicating copy to clipboard operation
flow-development-collection copied to clipboard

Published 20 hours ago verified publisher icon neos

Policy "property("Persistence_Object_Identifier").in("someContext") not working when returning empty array.

Open lsascha opened this issue 3 years ago • 1 comments

Description

When using the in() condition for a policy, the array returned by the context getter can not return an empty array.

Steps to Reproduce

  1. write a context with a getter named getFacilityIdsTree, returning an empty array like this: 
    <?php
declare(strict_types=1);
namespace Foo\Bar\Security\Context;
/**
 * @Flow\Scope("singleton")
 */
class FacilityContext implements CacheAwareInterface
{
     /**
     * Find all facilities
     * @return array<string>
     */
    public function getFacilityIdsTree(): array
    {
        return []
    }
}
  2. and configure it as global object for aop like this: 
     Neos:
   Flow:
     aop:
       globalObjects:
         facilityContext: Foo\Bar\Security\Context\FacilityContext
  3. create a Policy with a matcher like this: 
    isType("Foo\Bar\Domain\Model\Facility") && !(property("Persistence_Object_Identifier").in("context.facilityContext.facilityIdsTree"))
  4. GRANT this policy for users, even 'Neos.Flow:Everybody' should work.

Expected behavior

Users with the Role should be able to fetch all Foo\Bar\Domain\Model\Facility objects since it is granted for them.

Actual behavior

Foo\Bar\Domain\Model\Facility are still not fetched just like its not acutally Granted in the Policy

Affected Versions

Flow: Version 6.1.16

Possible Workaround:

I was able to get it to work when i returned not only an empty array like this [] But actually an array with a single empty string, like this. ['']

lsascha avatar May 11 '21 15:05 lsascha

The bug is likely in https://github.com/neos/flow-development-collection/blob/master/Neos.Flow/Classes/Security/Authorization/Privilege/Entity/Doctrine/PropertyConditionGenerator.php#L511-L513 From a quick glance and decoding, this will generate a IS NULL check if the array ($parameter) is empty(=evaluates to empty string due to https://github.com/neos/flow-development-collection/blob/master/Neos.Flow/Classes/Security/Authorization/Privilege/Entity/Doctrine/PropertyConditionGenerator.php#L484) or null

albe avatar May 12 '21 07:05 albe