neos-development-collection
neos-development-collection copied to clipboard
neos
Backend Permissions for subsection not working
Expected behavior
Hi Everyone,
I'm trying to implement custom backend permissions for a specific role to show only a subsection of the node tree (like the footer pages). I tried multiple ways and followed the introduction here: https://docs.neos.io/cms/manual/backend-permissions/real-world-examples but it does not work.
Please keep in mind that i don't want an additional role which has to be combined with another user role in the backend. I want to be able to create user give him only one Role MySite.Neos.Site:FooterEditor and he can login and see only the footer pages.
Actual behavior
Here is my current configuration:
privilegeTargets:
'Neos\Neos\Security\Authorization\Privilege\NodeTreePrivilege':
'MySite.Neos.Site:AllNodes':
matcher: 'TRUE'
'MySite.Neos.Site:FooterPages':
matcher: "isDescendantNodeOf('89628cb9-387e-9047-1c31-be0375cadf5f')"
roles:
'MySite.Neos.Site:FooterEditor':
parentRoles: ['Neos.Neos:Editor']
privileges:
-
privilegeTarget: 'MySite.Neos.Site:FooterPages'
permission: GRANT
Right now I use "Neos\Neos\Security\Authorization\Privilege\NodeTreePrivilege" (not like in the example) which almost works but in somehow the nodetree never loads (keeps spinning all the time). Please note that I use a parentRole Neos.Neos:Editor to give the role the basic permissions to edit the content (not like in the example).
I also tried Neos\ContentRepository\Security\Authorization\Privilege\Node\EditNodePrivilege (like in the example) which causes the nodetreet to load fully without any regulations (not really what i want). If I remove the parentRole (like in the example) I get a 403 Error in the backend saying that I dont have method permissions to even show the nodetree.
the node identifier of the subpages are correct for sure.
Affected Versions
behat/transliterator v1.2.0 String transliterator
composer/ca-bundle 1.2.4 Lets you find a path to the system CA bundle, and includes a fallback to the Mo...
composer/composer 1.9.1 Composer helps you declare, manage and install dependencies of PHP projects. It...
composer/semver 1.5.0 Semver library that offers utilities, version constraint parsing and validation.
composer/spdx-licenses 1.5.2 SPDX licenses list and validation library.
composer/xdebug-handler 1.4.0 Restarts a process without Xdebug.
doctrine/annotations v1.8.0 Docblock Annotations Parser
doctrine/cache 1.10.0 PHP Doctrine Cache library is a popular cache implementation that supports many...
doctrine/collections 1.6.4 PHP Doctrine Collections library that adds additional functionality on top of P...
doctrine/common v2.11.0 PHP Doctrine Common project is a library that provides additional functionality...
doctrine/dbal v2.10.0 Powerful PHP database abstraction layer (DBAL) with many features for database ...
doctrine/event-manager 1.1.0 The Doctrine Event Manager is a simple PHP event system that was built to be us...
doctrine/inflector 1.3.1 Common String Manipulations with regard to casing and singular/plural rules.
doctrine/instantiator 1.3.0 A small, lightweight utility to instantiate objects in PHP without invoking the...
doctrine/lexer 1.2.0 PHP Doctrine Lexer parser library that can be used in Top-Down, Recursive Desce...
doctrine/migrations v1.8.1 Database Schema migrations using Doctrine DBAL
doctrine/orm v2.7.0 Object-Relational-Mapper for PHP
doctrine/persistence 1.2.0 The Doctrine Persistence project is a set of shared interfaces and functionalit...
doctrine/reflection v1.0.0 Doctrine Reflection component
egulias/email-validator 2.1.11 A library for validating emails against several RFCs
flowpack/neos-frontendlogin 3.0.4 Neos plugin demonstrating a simple frontend login
flowpack/simplesearch 3.0.1 Plain PHP search engine using sqlite3 as storage backend.
flowpack/simplesearch-contentrepositoryadaptor 2.0.3 Implements a bridge to search in Neos CR via the flowpack/simplesearch package.
gedmo/doctrine-extensions v2.4.38 Doctrine2 behavioral extensions
imagine/imagine 1.2.2 Image processing for PHP 5.3
justinrainbow/json-schema 5.2.9 A library to validate a json schema.
mikey179/vfsstream v1.6.8 Virtual file system to mock the real file system in unit tests.
myclabs/deep-copy 1.9.3 Create deep copies (clones) of your objects
neos/behat dev-master 33c186a Behat support package for Neos Flow
neos/buildessentials dev-master a7ee073 Neos Flow Build Toolchain Essentials
neos/cache 5.3.8 Neos Cache Framework
neos/composer-plugin 2.0.1 Flow Composer Plugin
neos/content-repository 4.3.7 Content repository based on Flow, specifically made for Neos.
neos/content-repository-search 3.0.7 Common code and interface for a Neos CR search implementation
neos/diff 4.3.7 This is a comprehensive library for generating differences between two strings ...
neos/eel 5.3.8 The Embedded Expression Language (Eel) is a building block for creating Domain ...
neos/error-messages 5.3.8 Flow error messages
neos/flow 5.3.8 Flow Application Framework
neos/flow-log 5.3.8 Flow Framework Logger
neos/fluid-adaptor 5.3.8 Fluid Templating Framework Adaptor
neos/form 4.2.1 Extensible and flexible API for building web forms
neos/fusion 4.3.7 Fusion is a hierarchical, prototype based processing language
neos/fusion-afx v1.4.0 JSX inspired compact syntax for Neos.Fusion
neos/imagine 3.1.2
neos/kickstarter 5.3.8 A simple generator for controller and views.
neos/media 4.3.7 The Media package
neos/media-browser 4.3.7 This module allows managing of media assets including pictures, videos, audio a...
neos/neos 4.3.7 An open source Content Application Platform based on Flow. A set of core Conten...
neos/neos-ui 3.8.1 Neos CMS UI written in React
neos/neos-ui-compiled 3.8.1
neos/nodetypes 4.3.7 Node type configuration for Neos
neos/nodetypes-assetlist 4.3.7 A simple asset list node type.
neos/nodetypes-basemixins 4.3.7 Base mixins which are useful across projects.
neos/nodetypes-columnlayouts 4.3.7 Various simple column layouts node type.
neos/nodetypes-contentreferences 4.3.7 A simple content reference node type.
neos/nodetypes-form 4.3.7 A simple form node type.
neos/nodetypes-html 4.3.7 A simple html node type.
neos/nodetypes-navigation 4.3.7 A navigation node type.
neos/party 5.0.2 A party package for PHP based on the OASIS Customer Information Quality (CIQ) X...
neos/redirecthandler 2.0.1 Basic API to handle HTTP redirects with the Flow Framework
neos/redirecthandler-databasestorage 3.0.0 A plugin for neos/redirecthandler to store redirects in the database
neos/redirecthandler-neosadapter 3.1.0 Neos Redirect Handler
neos/seo 3.0.6 SEO configuration and tools for Neos
neos/setup 4.0.x-dev 0bed74b An extensible setup tool for Neos Flow based applications
neos/site-kickstarter 4.3.7 A simple generator for Neos assets, like sites and plugins.
neos/swiftmailer 7.1.0 A Flow package for easy use of Swift Mailer
neos/twitter-bootstrap 3.0.5 Simple and flexible HTML, CSS, and Javascript for popular user interface compon...
neos/utility-arrays 5.3.8 Flow Array Utilities
neos/utility-files 5.3.8 Flow Files Utilities
neos/utility-lock 5.3.8 Flow Locking Implementation
neos/utility-mediatypes 5.3.8 Flow Media Types Utilities
neos/utility-objecthandling 5.3.8 Flow array/object property and type utilities
neos/utility-opcodecache 5.3.8 Flow Opcode Cache Utilities
neos/utility-pdo 5.3.8 Flow PDO Utilities
neos/utility-schema 5.3.8 Flow Schema Utilities
neos/utility-unicode 5.3.8 Flow Unicode Utilities
ocramius/package-versions 1.4.2 Composer plugin that provides efficient querying for installed package versions...
ocramius/proxy-manager 2.2.3 A library providing utilities to generate, instantiate and generally operate wi...
paragonie/random_compat v9.99.99 PHP 5.x polyfill for random_bytes() and random_int() from PHP 7
phar-io/manifest 1.0.3 Component for reading phar.io manifest information from a PHP Archive (PHAR)
phar-io/version 2.0.1 Library for handling version information and constraints
phpdocumentor/reflection-common 2.0.0 Common reflection classes used by phpdocumentor to reflect the code structure
phpdocumentor/reflection-docblock 4.3.2 With this component, a library can provide support for annotations via DocBlock...
phpdocumentor/type-resolver 1.0.1 A PSR-5 based resolver of Class names, Types and Structural Element Names
phpspec/prophecy 1.9.0 Highly opinionated mocking framework for PHP 5.3+
phpunit/php-code-coverage 6.1.4 Library that provides collection, processing, and rendering functionality for P...
phpunit/php-file-iterator 2.0.2 FilterIterator implementation that filters files based on a list of suffixes.
phpunit/php-text-template 1.2.1 Simple template engine.
phpunit/php-timer 2.1.2 Utility class for timing
phpunit/php-token-stream 3.1.1 Wrapper around PHP's tokenizer extension.
phpunit/phpunit 7.5.17 The PHP Unit Testing framework.
psr/cache 1.0.1 Common interface for caching libraries
psr/container 1.0.0 Common Container Interface (PHP FIG PSR-11)
psr/http-message 1.0.1 Common interface for HTTP messages
psr/log 1.1.2 Common interface for logging libraries
psr/simple-cache 1.0.1 Common interfaces for simple caching
ramsey/uuid 3.9.1 Formerly rhumsaa/uuid. A PHP 5.4+ library for generating RFC 4122 version 1, 3,...
sebastian/code-unit-reverse-lookup 1.0.1 Looks up which function or method a line of code belongs to
sebastian/comparator 3.0.2 Provides the functionality to compare PHP values for equality
sebastian/diff 3.0.2 Diff implementation
sebastian/environment 4.2.3 Provides functionality to handle HHVM/PHP environments
sebastian/exporter 3.1.2 Provides the functionality to export PHP variables for visualization
sebastian/global-state 2.0.0 Snapshotting of global state
sebastian/object-enumerator 3.0.3 Traverses array structures and object graphs to enumerate all referenced objects
sebastian/object-reflector 1.1.1 Allows reflection of object attributes, including inherited and non-public ones
sebastian/recursion-context 3.0.0 Provides functionality to recursively process PHP variables
sebastian/resource-operations 2.0.1 Provides a list of PHP built-in functions that operate on resources
sebastian/version 2.0.1 Library that helps with managing the version number of Git-hosted PHP projects
seld/jsonlint 1.7.2 JSON Linter
seld/phar-utils 1.0.1 PHAR file format utilities, for when PHP phars you up
swiftmailer/swiftmailer v6.2.3 Swiftmailer, free feature-rich PHP mailer
symfony/console v4.4.1 Symfony Console Component
symfony/css-selector v2.8.52 Symfony CssSelector Component
symfony/dom-crawler v4.4.1 Symfony DomCrawler Component
symfony/filesystem v4.4.1 Symfony Filesystem Component
symfony/finder v4.4.1 Symfony Finder Component
symfony/polyfill-ctype v1.13.1 Symfony polyfill for ctype functions
symfony/polyfill-iconv v1.13.1 Symfony polyfill for the Iconv extension
symfony/polyfill-intl-idn v1.13.1 Symfony polyfill for intl's idn_to_ascii and idn_to_utf8 functions
symfony/polyfill-mbstring v1.13.1 Symfony polyfill for the Mbstring extension
symfony/polyfill-php72 v1.13.1 Symfony polyfill backporting some PHP 7.2+ features to lower PHP versions
symfony/polyfill-php73 v1.13.1 Symfony polyfill backporting some PHP 7.3+ features to lower PHP versions
symfony/process v4.4.1 Symfony Process Component
symfony/service-contracts v2.0.1 Generic abstractions related to writing services
symfony/yaml v4.4.1 Symfony Yaml Component
theseer/tokenizer 1.1.3 A small library for converting tokenized PHP source code into XML and potential...
typo3fluid/fluid 2.6.8 The TYPO3 Fluid template rendering engine
webmozart/assert 1.6.0 Assertions to validate method input/output with nice error messages.
zendframework/zend-code 3.4.0 Extensions to the PHP Reflection API, static code scanning, and code generation
zendframework/zend-eventmanager 3.2.1 Trigger and listen to events within a PHP application
If I remove the parentRole (like in the example) I get a 403 Error in the backend saying that I dont have method permissions to even show the nodetree.
Which is very much expected. Did you try to check what permissions are granted to the Editor role and add those that are vital to your own role? That should at least help a bit.
Hello Peter,
what you are describing is a missing feature in Neos, not a bug. The permission NodeTreePrivilege extends EditNodePrivilege. This means currently an editor which can see the backend NodeTreePrivilege can also edit it.
I was discussing that topic with Dmitri last week and I'm currently looking into it, maybe you want to ping me on slack #rolandschuetz
@rolandschuetz interesting. In the example it sounded to me that the other nodes in the nodetree are not visible https://docs.neos.io/cms/manual/backend-permissions/real-world-examples, but i checked the example again and could mean that you see them all but you can only edit a subset of it. Maybe that is okay for my customer as well.
but it should be a feature in the future because if you build a bigger page you will need editors with a subset of nodes.
I will get in touch with you on slack.
thank you guys!
I agree that there should be a possible to only show the pages in the document tree that the editor has rights for. I have users that only are allowed to edit one page, and they have to search for it among hundreds of pages every time they need not change anything.
The problem with the current NodeTreePrivilege implementation is, that there is no way to show some parts of the NodeTree without giving the user the ability to edit those nodes. This isn't always the needed behaviour.
I also had the problem come up today: Showing a subtree via privilegeTarget breaks a whitelisting approach with EditNodePrivilege for nodes inside that path. Maybe it's worth noting in the docs as this kinda impacts role planning?
