[SECURITY-41] Implement AppPermissionEvaluator grant() Created: 17/Aug/22 Updated: 25/May/23 Resolved: 23/May/23 |
|
| Status: | Closed |
| Project: | Security |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 7.0.0 |
| Type: | Story | Priority: | Neutral |
| Reporter: | Evzen Fochr | Assignee: | Evzen Fochr |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Σ Remaining Estimate: | Not Specified | Remaining Estimate: | Not Specified |
| Σ Time Spent: | Not Specified | Time Spent: | Not Specified |
| Σ Original Estimate: | Not Specified | Original Estimate: | Not Specified |
| Issue Links: |
|
||||||||||||||||||||
| Sub-Tasks: |
|
||||||||||||||||||||
| Template: | |||||||||||||||||||||
| Acceptance criteria: |
Empty
|
||||||||||||||||||||
| Epic Link: | App and action based security for Norsu | ||||||||||||||||||||
| Sprint: | AdminX 36 | ||||||||||||||||||||
| Story Points: | 3 | ||||||||||||||||||||
| Team: | |||||||||||||||||||||
| Work Started: | |||||||||||||||||||||
| Approved: |
Yes
|
||||||||||||||||||||
| Description |
|
config: magnolia.auth.permission.app.[permission-name].access=[ALLOW|DENY] magnolia.auth.permission.app.[permission-name].app-name=[magnolia-app-name] magnolia.auth.permission.app.[permission-name].policy=[policy-name] magnolia.auth.permission.app.[permission-name].subapp-name=[magnolia-subapp-name] magnolia.auth.permission.app.[permission-name].actions=[action-name's separated by comma] Evaluator rules:
e.g. 1
magnolia.auth.permission.app.permission1.access=DENY
magnolia.auth.permission.app.permission1.app-name=pages-app
magnolia.auth.permission.app.permission1.policy=default
-> denies access to the app itself (the config does not do anything special, as the default access is deny)
e.g. 2 magnolia.auth.permission.app.permission2.access=ALLOW magnolia.auth.permission.app.permission2.app-name=pages-app magnolia.auth.permission.app.permission2.subapp-name=browser magnolia.auth.permission.app.permission2.policy=browser-read-only -> allows user to enter only the browser app, but all the actions will be unavailable
e.g. 3 magnolia.auth.permission.app.permission3.access=ALLOW magnolia.auth.permission.app.permission3.app-name=pages-app magnolia.auth.permission.app.permission3.subapp-name=browser magnolia.auth.permission.app.permission3.actions=add, preview magnolia.auth.permission.app.permission3.policy=editor-browser-availabilities -> allows user to enter only the browser app, but only add and preview actions are available to him |