Uploaded image for project: 'Security'
  1. Security
  2. SECURITY-41

Implement AppPermissionEvaluator grant()

    XMLWordPrintable

Details

    • Story
    • Resolution: Fixed
    • Neutral
    • 7.0.0
    • None
    • None

    Description

      config:

      magnolia.auth.permission.app.[permission-name].access=[ALLOW|DENY]
      magnolia.auth.permission.app.[permission-name].app-name=[magnolia-app-name]
      magnolia.auth.permission.app.[permission-name].policy=[policy-name]
      magnolia.auth.permission.app.[permission-name].subapp-name=[magnolia-subapp-name]
      magnolia.auth.permission.app.[permission-name].actions=[action-name's separated by comma]

      Evaluator rules:

      • If access is not specified, we should deny access.
      • The most specific permission should have priority over the generic permission.
        There is a hierarchical order that define whether a permission is generic or specific: app-name -> subapp -> actions
      • If subapp-name or actions are not specified, assume all
      • If the user has 2 conflicting permissions for the same resource (set of resources), apply the most restrictive one: DENY

       

      e.g. 1

      magnolia.auth.permission.app.permission1.access=DENY
      magnolia.auth.permission.app.permission1.app-name=pages-app
      magnolia.auth.permission.app.permission1.policy=default

      -> denies access to the app itself (the config does not do anything special, as the default access is deny)

       

      e.g. 2

      magnolia.auth.permission.app.permission2.access=ALLOW
      magnolia.auth.permission.app.permission2.app-name=pages-app
      magnolia.auth.permission.app.permission2.subapp-name=browser
      magnolia.auth.permission.app.permission2.policy=browser-read-only

      -> allows user to enter only the browser app, but all the actions will be unavailable

       

      e.g. 3

      magnolia.auth.permission.app.permission3.access=ALLOW
      magnolia.auth.permission.app.permission3.app-name=pages-app
      magnolia.auth.permission.app.permission3.subapp-name=browser
      magnolia.auth.permission.app.permission3.actions=add, preview
      magnolia.auth.permission.app.permission3.policy=editor-browser-availabilities

      -> allows user to enter only the browser app, but only add and preview actions are available to him

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            There are no Sub-Tasks for this issue.

            Activity

              People

                efochr Evzen Fochr
                efochr Evzen Fochr
                AdminX
                Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:
                  Work Started: