TASK: Remove obsolete legacy yaml policy for workspaces

With the introduction of explicit user assignments for workspaces neos#5146 and roles and the full evaluation of those via neos#5298 we have replaced the previously still kept 8.3 yaml security configuration for workspaces. This decision was done as for security we can no longer use flows security framework which uses aop inside the content-repository library, and also we wanted to cleanup the user <-> workspace relation ship as well as the concept of internal vs shared workspaces. Following yaml roles were removed: - `Neos.ContentRepository:Administrator` - `Neos.ContentRepository:InternalWorkspaceAccess` Following yaml targets were removed: - `Neos.Neos:PublicWorkspaceAccess` - `Neos.Neos:OtherWorkspacesAccess` - `Neos.Neos:Backend.OtherUsersPersonalWorkspaceAccess` - `Neos.Neos:Backend.PublishOwnWorkspaceContent` - `Neos.Neos:Backend.DiscardOwnWorkspaceContent` - `Neos.Workspace.Ui:Backend.PublishAllToLiveWorkspace` Note that these targets were moved to the `Neos.Workspace.Ui:Backend` package via neos#5118 in 9.0 but were removed now either way: - `Neos.Neos:Backend.Module.Management.Workspaces.ManageOwnWorkspaces` (`Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageOwnWorkspaces`) - `Neos.Neos:Backend.Module.Management.Workspaces.ManageInternalWorkspaces` (`Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageInternalWorkspaces`) - `Neos.Neos:Backend.Module.Management.Workspaces.ManageAllPrivateWorkspaces` (`Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageAllPrivateWorkspaces`)
mhsdesign · Jan 13, 2025 · d056b20 · d056b20
1 parent 9537d73
commit d056b20
Show file tree

Hide file tree

Showing 4 changed files with 0 additions and 108 deletions.
diff --git a/Neos.ContentRepository.NodeAccess/Configuration/Policy.yaml b/Neos.ContentRepository.NodeAccess/Configuration/Policy.yaml
diff --git a/Neos.Neos/Configuration/Policy.yaml b/Neos.Neos/Configuration/Policy.yaml
@@ -47,23 +47,10 @@ privilegeTargets:
       label: Access to own personal workspace
       matcher: 'method(Neos\Neos\TypeConverter\NodeConverter->prepareContextProperties(workspaceName === current.userInformation.personalWorkspaceName))'
 
-    # No role should have this privilege assigned:
-    'Neos.Neos:Backend.OtherUsersPersonalWorkspaceAccess':
-      label: Access to other users personal workspace
-      matcher: 'method(Neos\ContentRepository\Domain\Service\Context->validateWorkspace()) && evaluate(this.workspace.owner !== current.userInformation.backendUser, this.workspace.personalWorkspace === true)'
-
     'Neos.Neos:Backend.EditContent':
       label: General access to content editing
       matcher: 'method(Neos\Neos\Service\Controller\NodeController->(show|getPrimaryChildNode|getChildNodesForTree|filterChildNodesForTree|getChildNodes|getChildNodesFromParent|create|createAndRender|createNodeForTheTree|move|moveBefore|moveAfter|moveInto|moveAndRender|copy|copyBefore|copyAfter|copyInto|copyAndRender|update|updateAndRender|delete|searchPage|error)Action()) || method(Neos\Neos\Controller\Backend\ContentController->(uploadAsset|assetsWithMetadata|imageWithMetadata|createImageVariant|error)Action()) || method(Neos\Neos\Controller\Service\AssetProxiesController->(index|show|import|error)Action()) || method(Neos\Neos\Controller\Service\AssetsController->(index|show|error)Action()) || method(Neos\Neos\Controller\Service\NodesController->(index|show|create|error)Action())'
 
-    'Neos.Neos:Backend.PublishOwnWorkspaceContent':
-      label: Allowed to publish own personal workspace
-      matcher: 'method(Neos\Neos\Service\Controller\WorkspaceController->(publishNode|publishNodes|error)Action()) || method(Neos\Neos\Service\Controller\WorkspaceController->publishAllAction(workspaceName = current.userInformation.personalWorkspaceName)) || method(Neos\Neos\Service\Controller\WorkspaceController->getWorkspaceWideUnpublishedNodesAction(workspace.name = current.userInformation.personalWorkspaceName))'
-
-    'Neos.Neos:Backend.DiscardOwnWorkspaceContent':
-      label: Allowed to discard changes in own workspace
-      matcher: 'method(Neos\Neos\Service\Controller\WorkspaceController->(discardNode|discardNodes|error)Action()) || method(Neos\Neos\Service\Controller\WorkspaceController->discardAllAction(workspace.name === current.userInformation.personalWorkspaceName))'
-
     #
     # User management and user settings
     #
@@ -173,7 +160,6 @@ roles:
   'Neos.Neos:AbstractEditor':
     # This group is assigned conventionally for new shared workspaces as collaborator. See WorkspaceService::assignWorkspaceRole
     abstract: true
-    parentRoles: ['Neos.ContentRepository:Administrator']
     privileges:
       -
         privilegeTarget: 'Neos.Neos:Backend.GeneralAccess'
@@ -191,14 +177,6 @@ roles:
         privilegeTarget: 'Neos.Neos:Backend.EditContent'
         permission: GRANT
 
-      -
-        privilegeTarget: 'Neos.Neos:Backend.PublishOwnWorkspaceContent'
-        permission: GRANT
-
-      -
-        privilegeTarget: 'Neos.Neos:Backend.DiscardOwnWorkspaceContent'
-        permission: GRANT
-
       -
         privilegeTarget: 'Neos.Neos:Backend.ContentDimensions'
         permission: GRANT

diff --git a/Neos.Workspace.Ui/Configuration/Policy.yaml b/Neos.Workspace.Ui/Configuration/Policy.yaml
@@ -2,58 +2,22 @@ privilegeTargets:
 
   'Neos\Flow\Security\Authorization\Privilege\Method\MethodPrivilege':
 
-    'Neos.Workspace.Ui:Backend.PublishAllToLiveWorkspace':
-      label: Allowed to publish to the live workspace
-      matcher: 'method(Neos\Workspace\Ui\Controller\WorkspaceController->publishWorkspaceAction(workspace.baseWorkspace.name === "live"))'
-
     'Neos.Workspace.Ui:Backend.CreateWorkspaces':
       label: Allowed to create a workspace
       matcher: 'method(Neos\Workspace\Ui\Controller\WorkspaceController->(create|new)Action())'
 
-    'Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageOwnWorkspaces':
-      label: Allowed to manage own workspaces
-      matcher: 'method(Neos\Workspace\Ui\Controller\WorkspaceController->(publishWorkspace|discardWorkspace|edit|update|delete)Action(workspace.owner === current.userInformation.backendUser))'
-
-    'Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageInternalWorkspaces':
-      label: Manage internal workspaces
-      matcher: 'method(Neos\Workspace\Ui\Controller\WorkspaceController->(publishWorkspace|discardWorkspace|edit|update|delete)Action(workspace.owner === null))'
-
-    'Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageAllPrivateWorkspaces':
-      label: Manage all private workspaces
-      matcher: 'method(Neos\Workspace\Ui\Controller\WorkspaceController->(publishWorkspace|discardWorkspace|edit|update|delete)Action()) && evaluate(this.workspace.owner !== current.userInformation.backendUser, this.workspace.personalWorkspace === false)'
-
   'Neos\Neos\Security\Authorization\Privilege\ModulePrivilege':
     'Neos.Workspace.Ui:Backend.Module.Management.Workspace':
       label: General access to the workspace module
       matcher: 'management/workspace'
 
 roles:
-  'Neos.Neos:LivePublisher':
-    privileges:
-      -
-        privilegeTarget: 'Neos.Workspace.Ui:Backend.PublishAllToLiveWorkspace'
-        permission: GRANT
-
   'Neos.Neos:AbstractEditor':
     privileges:
       -
         privilegeTarget: 'Neos.Workspace.Ui:Backend.CreateWorkspaces'
         permission: GRANT
 
-      -
-        privilegeTarget: 'Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageOwnWorkspaces'
-        permission: GRANT
-
       -
         privilegeTarget: 'Neos.Workspace.Ui:Backend.Module.Management.Workspace'
         permission: GRANT
-
-  'Neos.Neos:Administrator':
-    privileges:
-      -
-        privilegeTarget: 'Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageInternalWorkspaces'
-        permission: GRANT
-
-      -
-        privilegeTarget: 'Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageAllPrivateWorkspaces'
-        permission: GRANT
diff --git a/Neos.Workspace.Ui/Migrations/Code/Version20240603134000.php b/Neos.Workspace.Ui/Migrations/Code/Version20240603134000.php
@@ -26,31 +26,11 @@ public function getIdentifier(): string
 
     public function up(): void
     {
-        $this->searchAndReplace(
-            'Neos.Neos:Backend.PublishAllToLiveWorkspace',
-            'Neos.Workspace.Ui:Backend.PublishAllToLiveWorkspace',
-            ['yaml', 'html', 'php']
-        );
         $this->searchAndReplace(
             'Neos.Neos:Backend.CreateWorkspaces',
             'Neos.Workspace.Ui:Backend.CreateWorkspaces',
             ['yaml', 'html', 'php']
         );
-        $this->searchAndReplace(
-            'Neos.Neos:Backend.Module.Management.Workspaces.ManageOwnWorkspaces',
-            'Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageOwnWorkspaces',
-            ['yaml', 'html', 'php']
-        );
-        $this->searchAndReplace(
-            'Neos.Neos:Backend.Module.Management.Workspaces.ManageInternalWorkspaces',
-            'Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageInternalWorkspaces',
-            ['yaml', 'html', 'php']
-        );
-        $this->searchAndReplace(
-            'Neos.Neos:Backend.Module.Management.Workspaces.ManageAllPrivateWorkspaces',
-            'Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageAllPrivateWorkspaces',
-            ['yaml', 'html', 'php']
-        );
         $this->searchAndReplace(
             'Neos.Neos:Backend.Module.Management.Workspaces',
             'Neos.Workspace.Ui:Backend.Module.Management.Workspace',