Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FEATURE: Add Flow\Policy Attribute/Annotation #3324

Draft
wants to merge 1 commit into
base: 9.0
Choose a base branch
from
Draft

FEATURE: Add Flow\Policy Attribute/Annotation #3324

wants to merge 1 commit into from

Conversation

mficzel
Copy link
Member

@mficzel mficzel commented Mar 3, 2024
edited

The Flow\Policy attribute allows to assign the required policies (mostly roles) directly on the affected method.
This allows to avoid dealing with Policy.yaml in projects in simple cases where is sometimes is annoying to look up the exact syntax for that.

Hint: While this is a very convenient way to add policies in project code it should not be used in libraries/packages that expect to be configured for the outside. In such cases the policy.yaml is still preferred as it is easier to overwrite. Also Policy yaml offers features like parameter filters that are not available via annotations.

Usage:

use Neos\Flow\Mvc\Controller\ActionController;
use Neos\Flow\Annotations as Flow;
use Neos\Flow\Security\Authorization\Privilege\PrivilegeInterface;

class ExampleController extends ActionController
{
    /**
     * By assigning a policy with a role argument access to the method is granted to the specified role
     */
    #[Flow\Policy(role: 'Neos.Flow:Everybody')]
    public function everybodyAction(): void
    {
    }

    /**
     * By specifying the permission in addition and the DENY and ABSTAIN can be configured aswell
     * Flow\Policy attributes can be assigned multiple times if multiple roles are to be configured
     */
    #[Flow\Policy(role: 'Neos.Flow:Administrator', permission: PrivilegeInterface::GRANT)]
    #[Flow\Policy(role: 'Neos.Flow:Anonymous', permission: PrivilegeInterface::DENY)]
    public function adminButNotAnonymousAction(): void
    {
    }
}

The package: Meteko.PolicyAnnotation by @sorenmalling implemented the same ideas earlier.

Resolves: #2060

Upgrade instructions

Review instructions

See: #3325 resolving #2059, both solutions should work hand in hand

Checklist

  • Code follows the PSR-2 coding style
  • Tests have been created, run and adjusted as needed
  • The PR is created against the lowest maintained branch
  • Reviewer - PR Title is brief but complete and starts with FEATURE|TASK|BUGFIX
  • Reviewer - The first section explains the change briefly for change-logs
  • Reviewer - Breaking Changes are marked with !!! and have upgrade-instructions

@mficzel mficzel changed the title FEATURE: Add Flow\Policy Annotations/Attributes FEATURE: Add Flow\Policy Attribute/Annotation Mar 3, 2024
@mficzel mficzel force-pushed the feature/policyAnnotations branch 5 times, most recently from 2332d14 to 052a794 Compare March 3, 2024 16:12
@mficzel
Copy link
Member Author

mficzel commented Mar 3, 2024
edited

A better name for the PolicyAnnotationService would be appreciated

@mficzel mficzel marked this pull request as ready for review March 3, 2024 16:20
@mficzel mficzel mentioned this pull request Mar 3, 2024
Merged
6 tasks
@mficzel mficzel force-pushed the feature/policyAnnotations branch 2 times, most recently from 512e1bd to 41304fa Compare March 4, 2024 08:29
@mficzel
FEATURE: Add Flow\Policy Attribute/Annotation
de803b4 
The `Flow\Policy` attribute allows to assign the required policies (mostly roles) directly on the affected method.
This allows to avoid dealing with Policy.yaml in projects in simple cases where is sometimes is annoying to look up the exact syntax for that.

Hint: While this is a very convenient way to add policies in project code it should not be used in libraries/packages that expect to be configured for the outside.
In such cases the policy.yaml is still preferred as it is easier to overwrite.

Usage:

```php
use Neos\Flow\Mvc\Controller\ActionController;
use Neos\Flow\Annotations as Flow;
use Neos\Flow\Security\Authorization\Privilege\PrivilegeInterface;

class ExampleController extends ActionController
{
    /**
     * By assigning a policy with a role argument access to the method is granted to the specified role
     */
    #[Flow\Policy(role: 'Neos.Flow:Everybody')]
    public function everybodyAction(): void
    {
    }

    /**
     * By specifying the permission in addition and the DENY and ABSTAIN can be configured aswell
     * Flow\Policy attributes can be assigned multiple times if multiple roles are to be configured
     */
    #[Flow\Policy(role: 'Neos.Flow:Administrator', permission: PrivilegeInterface::GRANT)]
    #[Flow\Policy(role: 'Neos.Flow:Anonymous', permission: PrivilegeInterface::DENY)]
    public function adminButNotAnonymousAction(): void
    {
    }
}
```

The package: `Meteko.PolicyAnnotation` by @sorenmalling implemented the same ideas earlier.

Resolves: neos#2060
@mficzel mficzel marked this pull request as draft March 15, 2024 16:38
@mficzel
Copy link
Member Author

mficzel commented Mar 17, 2024
edited

Just discovered that the signal in the policy service is called to late for any policies that require proxy building. Will try to refactor this to the PolicyConfigurationLoader that seems to be called in time.

Strange is that the roles and policies show up in the ./flow security:* commands without beeing effective.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bwaidelich bwaidelich Awaiting requested review from bwaidelich

@mhsdesign mhsdesign Awaiting requested review from mhsdesign

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
9.0 Feature
Projects
Neos 9.0
Status: Under Review 👀
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow to specify policies per action through annotations
1 participant
@mficzel