From 10c3d54574f38c1bc18c688943b518ae4fe15a43 Mon Sep 17 00:00:00 2001 From: mhsdesign <85400359+mhsdesign@users.noreply.github.com> Date: Mon, 6 Jan 2025 11:02:42 +0100 Subject: [PATCH] TASK: Remove obsolete legacy yaml policy for workspaces With the introduction of explicit user assignments for workspaces https://github.com/neos/neos-development-collection/pull/5146 and roles and the full evaluation of those via https://github.com/neos/neos-development-collection/pull/5298 we have replaced the previously still kept 8.3 yaml security configuration for workspaces. This decision was done as for security we can no longer use flows security framework which uses aop inside the content-repository library, and also we wanted to cleanup the user <-> workspace relation ship as well as the concept of internal vs shared workspaces. Following yaml roles were removed: - `Neos.ContentRepository:Administrator` - `Neos.ContentRepository:InternalWorkspaceAccess` Following yaml targets were removed: - `Neos.Neos:PublicWorkspaceAccess` - `Neos.Neos:OtherWorkspacesAccess` - `Neos.Neos:Backend.OtherUsersPersonalWorkspaceAccess` - `Neos.Neos:Backend.PublishOwnWorkspaceContent` - `Neos.Neos:Backend.DiscardOwnWorkspaceContent` - `Neos.Workspace.Ui:Backend.PublishAllToLiveWorkspace` Note that these targets were moved to the `Neos.Workspace.Ui:Backend` package via https://github.com/neos/neos-development-collection/pull/5118 in 9.0 but were removed now either way: - `Neos.Neos:Backend.Module.Management.Workspaces.ManageOwnWorkspaces` (`Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageOwnWorkspaces`) - `Neos.Neos:Backend.Module.Management.Workspaces.ManageInternalWorkspaces` (`Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageInternalWorkspaces`) - `Neos.Neos:Backend.Module.Management.Workspaces.ManageAllPrivateWorkspaces` (`Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageAllPrivateWorkspaces`) --- Configuration/Policy.yaml | 36 ----------------------- Migrations/Code/Version20240603134000.php | 20 ------------- 2 files changed, 56 deletions(-) diff --git a/Configuration/Policy.yaml b/Configuration/Policy.yaml index cc57d46..0084e57 100644 --- a/Configuration/Policy.yaml +++ b/Configuration/Policy.yaml @@ -2,58 +2,22 @@ privilegeTargets: 'Neos\Flow\Security\Authorization\Privilege\Method\MethodPrivilege': - 'Neos.Workspace.Ui:Backend.PublishAllToLiveWorkspace': - label: Allowed to publish to the live workspace - matcher: 'method(Neos\Workspace\Ui\Controller\WorkspaceController->publishWorkspaceAction(workspace.baseWorkspace.name === "live"))' - 'Neos.Workspace.Ui:Backend.CreateWorkspaces': label: Allowed to create a workspace matcher: 'method(Neos\Workspace\Ui\Controller\WorkspaceController->(create|new)Action())' - 'Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageOwnWorkspaces': - label: Allowed to manage own workspaces - matcher: 'method(Neos\Workspace\Ui\Controller\WorkspaceController->(publishWorkspace|discardWorkspace|edit|update|delete)Action(workspace.owner === current.userInformation.backendUser))' - - 'Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageInternalWorkspaces': - label: Manage internal workspaces - matcher: 'method(Neos\Workspace\Ui\Controller\WorkspaceController->(publishWorkspace|discardWorkspace|edit|update|delete)Action(workspace.owner === null))' - - 'Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageAllPrivateWorkspaces': - label: Manage all private workspaces - matcher: 'method(Neos\Workspace\Ui\Controller\WorkspaceController->(publishWorkspace|discardWorkspace|edit|update|delete)Action()) && evaluate(this.workspace.owner !== current.userInformation.backendUser, this.workspace.personalWorkspace === false)' - 'Neos\Neos\Security\Authorization\Privilege\ModulePrivilege': 'Neos.Workspace.Ui:Backend.Module.Management.Workspace': label: General access to the workspace module matcher: 'management/workspace' roles: - 'Neos.Neos:LivePublisher': - privileges: - - - privilegeTarget: 'Neos.Workspace.Ui:Backend.PublishAllToLiveWorkspace' - permission: GRANT - 'Neos.Neos:AbstractEditor': privileges: - privilegeTarget: 'Neos.Workspace.Ui:Backend.CreateWorkspaces' permission: GRANT - - - privilegeTarget: 'Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageOwnWorkspaces' - permission: GRANT - - privilegeTarget: 'Neos.Workspace.Ui:Backend.Module.Management.Workspace' permission: GRANT - - 'Neos.Neos:Administrator': - privileges: - - - privilegeTarget: 'Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageInternalWorkspaces' - permission: GRANT - - - - privilegeTarget: 'Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageAllPrivateWorkspaces' - permission: GRANT diff --git a/Migrations/Code/Version20240603134000.php b/Migrations/Code/Version20240603134000.php index 7599b1f..476feea 100644 --- a/Migrations/Code/Version20240603134000.php +++ b/Migrations/Code/Version20240603134000.php @@ -26,31 +26,11 @@ public function getIdentifier(): string public function up(): void { - $this->searchAndReplace( - 'Neos.Neos:Backend.PublishAllToLiveWorkspace', - 'Neos.Workspace.Ui:Backend.PublishAllToLiveWorkspace', - ['yaml', 'html', 'php'] - ); $this->searchAndReplace( 'Neos.Neos:Backend.CreateWorkspaces', 'Neos.Workspace.Ui:Backend.CreateWorkspaces', ['yaml', 'html', 'php'] ); - $this->searchAndReplace( - 'Neos.Neos:Backend.Module.Management.Workspaces.ManageOwnWorkspaces', - 'Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageOwnWorkspaces', - ['yaml', 'html', 'php'] - ); - $this->searchAndReplace( - 'Neos.Neos:Backend.Module.Management.Workspaces.ManageInternalWorkspaces', - 'Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageInternalWorkspaces', - ['yaml', 'html', 'php'] - ); - $this->searchAndReplace( - 'Neos.Neos:Backend.Module.Management.Workspaces.ManageAllPrivateWorkspaces', - 'Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageAllPrivateWorkspaces', - ['yaml', 'html', 'php'] - ); $this->searchAndReplace( 'Neos.Neos:Backend.Module.Management.Workspaces', 'Neos.Workspace.Ui:Backend.Module.Management.Workspace',