Uploaded image for project: 'Security'
  1. Security
  2. SECURITY-41

Implement AppPermissionEvaluator grant()

    XMLWordPrintable

Details

    • Story
    • Resolution: Fixed
    • Neutral
    • 7.0.0
    • None
    • None

    Description

      config:

      magnolia.auth.permission.app.[permission-name].access=[ALLOW|DENY]
      magnolia.auth.permission.app.[permission-name].app-name=[magnolia-app-name]
      magnolia.auth.permission.app.[permission-name].policy=[policy-name]
      magnolia.auth.permission.app.[permission-name].subapp-name=[magnolia-subapp-name]
      magnolia.auth.permission.app.[permission-name].actions=[action-name's separated by comma]

      Evaluator rules:

      • If access is not specified, we should deny access.
      • The most specific permission should have priority over the generic permission.
        There is a hierarchical order that define whether a permission is generic or specific: app-name -> subapp -> actions
      • If subapp-name or actions are not specified, assume all
      • If the user has 2 conflicting permissions for the same resource (set of resources), apply the most restrictive one: DENY

       

      e.g. 1

      magnolia.auth.permission.app.permission1.access=DENY
      magnolia.auth.permission.app.permission1.app-name=pages-app
      magnolia.auth.permission.app.permission1.policy=default

      -> denies access to the app itself (the config does not do anything special, as the default access is deny)

       

      e.g. 2

      magnolia.auth.permission.app.permission2.access=ALLOW
      magnolia.auth.permission.app.permission2.app-name=pages-app
      magnolia.auth.permission.app.permission2.subapp-name=browser
      magnolia.auth.permission.app.permission2.policy=browser-read-only

      -> allows user to enter only the browser app, but all the actions will be unavailable

       

      e.g. 3

      magnolia.auth.permission.app.permission3.access=ALLOW
      magnolia.auth.permission.app.permission3.app-name=pages-app
      magnolia.auth.permission.app.permission3.subapp-name=browser
      magnolia.auth.permission.app.permission3.actions=add, preview
      magnolia.auth.permission.app.permission3.policy=editor-browser-availabilities

      -> allows user to enter only the browser app, but only add and preview actions are available to him

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            Activity

              People

                efochr Evzen Fochr
                efochr Evzen Fochr
                AdminX
                Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:
                  Work Started: