diff --git a/Neos.ContentRepository.NodeAccess/Configuration/Policy.yaml b/Neos.ContentRepository.NodeAccess/Configuration/Policy.yaml deleted file mode 100644 index d015bec6748..00000000000 --- a/Neos.ContentRepository.NodeAccess/Configuration/Policy.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# # -# Security policy for the ContentRepository package # -# # - -privilegeTargets: - 'Neos\Flow\Security\Authorization\Privilege\Method\MethodPrivilege': - 'Neos.Neos:PublicWorkspaceAccess': - label: Allowed to access the public workspace - matcher: 'method(Neos\ContentRepository\Domain\Service\Context->validateWorkspace()) && evaluate(this.workspace.publicWorkspace === true)' - - 'Neos.Neos:OtherWorkspacesAccess': - label: Allowed to access to other users workspaces - matcher: 'method(Neos\ContentRepository\Domain\Service\Context->validateWorkspace()) && evaluate(this.workspace.publicWorkspace === false) && evaluate(this.workspace.personalWorkspace === false)' - -roles: - 'Neos.Flow:Everybody': - privileges: - - privilegeTarget: 'Neos.Neos:PublicWorkspaceAccess' - permission: GRANT - - 'Neos.ContentRepository:InternalWorkspaceAccess': - abstract: TRUE - privileges: - - privilegeTarget: 'Neos.Neos:OtherWorkspacesAccess' - permission: GRANT - - 'Neos.ContentRepository:Administrator': - abstract: true - parentRoles: ['Neos.ContentRepository:InternalWorkspaceAccess'] - diff --git a/Neos.Neos/Configuration/Policy.yaml b/Neos.Neos/Configuration/Policy.yaml index c5f3beb3ca3..d8b19e088c9 100644 --- a/Neos.Neos/Configuration/Policy.yaml +++ b/Neos.Neos/Configuration/Policy.yaml @@ -47,23 +47,10 @@ privilegeTargets: label: Access to own personal workspace matcher: 'method(Neos\Neos\TypeConverter\NodeConverter->prepareContextProperties(workspaceName === current.userInformation.personalWorkspaceName))' - # No role should have this privilege assigned: - 'Neos.Neos:Backend.OtherUsersPersonalWorkspaceAccess': - label: Access to other users personal workspace - matcher: 'method(Neos\ContentRepository\Domain\Service\Context->validateWorkspace()) && evaluate(this.workspace.owner !== current.userInformation.backendUser, this.workspace.personalWorkspace === true)' - 'Neos.Neos:Backend.EditContent': label: General access to content editing matcher: 'method(Neos\Neos\Service\Controller\NodeController->(show|getPrimaryChildNode|getChildNodesForTree|filterChildNodesForTree|getChildNodes|getChildNodesFromParent|create|createAndRender|createNodeForTheTree|move|moveBefore|moveAfter|moveInto|moveAndRender|copy|copyBefore|copyAfter|copyInto|copyAndRender|update|updateAndRender|delete|searchPage|error)Action()) || method(Neos\Neos\Controller\Backend\ContentController->(uploadAsset|assetsWithMetadata|imageWithMetadata|createImageVariant|error)Action()) || method(Neos\Neos\Controller\Service\AssetProxiesController->(index|show|import|error)Action()) || method(Neos\Neos\Controller\Service\AssetsController->(index|show|error)Action()) || method(Neos\Neos\Controller\Service\NodesController->(index|show|create|error)Action())' - 'Neos.Neos:Backend.PublishOwnWorkspaceContent': - label: Allowed to publish own personal workspace - matcher: 'method(Neos\Neos\Service\Controller\WorkspaceController->(publishNode|publishNodes|error)Action()) || method(Neos\Neos\Service\Controller\WorkspaceController->publishAllAction(workspaceName = current.userInformation.personalWorkspaceName)) || method(Neos\Neos\Service\Controller\WorkspaceController->getWorkspaceWideUnpublishedNodesAction(workspace.name = current.userInformation.personalWorkspaceName))' - - 'Neos.Neos:Backend.DiscardOwnWorkspaceContent': - label: Allowed to discard changes in own workspace - matcher: 'method(Neos\Neos\Service\Controller\WorkspaceController->(discardNode|discardNodes|error)Action()) || method(Neos\Neos\Service\Controller\WorkspaceController->discardAllAction(workspace.name === current.userInformation.personalWorkspaceName))' - # # User management and user settings # @@ -173,7 +160,6 @@ roles: 'Neos.Neos:AbstractEditor': # This group is assigned conventionally for new shared workspaces as collaborator. See WorkspaceService::assignWorkspaceRole abstract: true - parentRoles: ['Neos.ContentRepository:Administrator'] privileges: - privilegeTarget: 'Neos.Neos:Backend.GeneralAccess' @@ -191,14 +177,6 @@ roles: privilegeTarget: 'Neos.Neos:Backend.EditContent' permission: GRANT - - - privilegeTarget: 'Neos.Neos:Backend.PublishOwnWorkspaceContent' - permission: GRANT - - - - privilegeTarget: 'Neos.Neos:Backend.DiscardOwnWorkspaceContent' - permission: GRANT - - privilegeTarget: 'Neos.Neos:Backend.ContentDimensions' permission: GRANT diff --git a/Neos.Workspace.Ui/Configuration/Policy.yaml b/Neos.Workspace.Ui/Configuration/Policy.yaml index cc57d46f5f7..0084e5775dc 100644 --- a/Neos.Workspace.Ui/Configuration/Policy.yaml +++ b/Neos.Workspace.Ui/Configuration/Policy.yaml @@ -2,58 +2,22 @@ privilegeTargets: 'Neos\Flow\Security\Authorization\Privilege\Method\MethodPrivilege': - 'Neos.Workspace.Ui:Backend.PublishAllToLiveWorkspace': - label: Allowed to publish to the live workspace - matcher: 'method(Neos\Workspace\Ui\Controller\WorkspaceController->publishWorkspaceAction(workspace.baseWorkspace.name === "live"))' - 'Neos.Workspace.Ui:Backend.CreateWorkspaces': label: Allowed to create a workspace matcher: 'method(Neos\Workspace\Ui\Controller\WorkspaceController->(create|new)Action())' - 'Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageOwnWorkspaces': - label: Allowed to manage own workspaces - matcher: 'method(Neos\Workspace\Ui\Controller\WorkspaceController->(publishWorkspace|discardWorkspace|edit|update|delete)Action(workspace.owner === current.userInformation.backendUser))' - - 'Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageInternalWorkspaces': - label: Manage internal workspaces - matcher: 'method(Neos\Workspace\Ui\Controller\WorkspaceController->(publishWorkspace|discardWorkspace|edit|update|delete)Action(workspace.owner === null))' - - 'Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageAllPrivateWorkspaces': - label: Manage all private workspaces - matcher: 'method(Neos\Workspace\Ui\Controller\WorkspaceController->(publishWorkspace|discardWorkspace|edit|update|delete)Action()) && evaluate(this.workspace.owner !== current.userInformation.backendUser, this.workspace.personalWorkspace === false)' - 'Neos\Neos\Security\Authorization\Privilege\ModulePrivilege': 'Neos.Workspace.Ui:Backend.Module.Management.Workspace': label: General access to the workspace module matcher: 'management/workspace' roles: - 'Neos.Neos:LivePublisher': - privileges: - - - privilegeTarget: 'Neos.Workspace.Ui:Backend.PublishAllToLiveWorkspace' - permission: GRANT - 'Neos.Neos:AbstractEditor': privileges: - privilegeTarget: 'Neos.Workspace.Ui:Backend.CreateWorkspaces' permission: GRANT - - - privilegeTarget: 'Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageOwnWorkspaces' - permission: GRANT - - privilegeTarget: 'Neos.Workspace.Ui:Backend.Module.Management.Workspace' permission: GRANT - - 'Neos.Neos:Administrator': - privileges: - - - privilegeTarget: 'Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageInternalWorkspaces' - permission: GRANT - - - - privilegeTarget: 'Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageAllPrivateWorkspaces' - permission: GRANT diff --git a/Neos.Workspace.Ui/Migrations/Code/Version20240603134000.php b/Neos.Workspace.Ui/Migrations/Code/Version20240603134000.php index 7599b1f78e2..476feea6fb3 100644 --- a/Neos.Workspace.Ui/Migrations/Code/Version20240603134000.php +++ b/Neos.Workspace.Ui/Migrations/Code/Version20240603134000.php @@ -26,31 +26,11 @@ public function getIdentifier(): string public function up(): void { - $this->searchAndReplace( - 'Neos.Neos:Backend.PublishAllToLiveWorkspace', - 'Neos.Workspace.Ui:Backend.PublishAllToLiveWorkspace', - ['yaml', 'html', 'php'] - ); $this->searchAndReplace( 'Neos.Neos:Backend.CreateWorkspaces', 'Neos.Workspace.Ui:Backend.CreateWorkspaces', ['yaml', 'html', 'php'] ); - $this->searchAndReplace( - 'Neos.Neos:Backend.Module.Management.Workspaces.ManageOwnWorkspaces', - 'Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageOwnWorkspaces', - ['yaml', 'html', 'php'] - ); - $this->searchAndReplace( - 'Neos.Neos:Backend.Module.Management.Workspaces.ManageInternalWorkspaces', - 'Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageInternalWorkspaces', - ['yaml', 'html', 'php'] - ); - $this->searchAndReplace( - 'Neos.Neos:Backend.Module.Management.Workspaces.ManageAllPrivateWorkspaces', - 'Neos.Workspace.Ui:Backend.Module.Management.Workspace.ManageAllPrivateWorkspaces', - ['yaml', 'html', 'php'] - ); $this->searchAndReplace( 'Neos.Neos:Backend.Module.Management.Workspaces', 'Neos.Workspace.Ui:Backend.Module.Management.Workspace',