Access security #11
Comments
|
Yes, at the moment all of the configured resource trees are available. We would need to configure which ones are exposed and also think about how to filter what is made available. Of course all of this should normally be behind a firewall. |
|
maybe the controller should by default check for isGranted |
|
I also see this as mainly a job for the firewall to cover. Once we add write support we should make sure that we can handle the different operations using isGrant checks. |
|
I would also add to the "global"
so you wil have a control to every kind of resource in the tree. |
|
so you would translate the whole path to role names? with deep path, this could end up in a lot of role checks. imho that would just be duplicating what you can do with the firewall. i think the way to go further would be custom security voters that can look at whatever application specific things (document type, information in the phpcr tree) to decide. which means the controller could ask with the document in question as well. maybe only ask with that, and have a security voter that checks for the CMF_RESOURCE_READER/EDITOR role. |
# This is the 1st commit message: DevKit updates # This is the commit message #2: improvements to get the tests running # This is the commit message #3: try to call unit tests only # This is the commit message #4: DevKit updates # This is the commit message #5: add correct cache/log path to gitignor # This is the commit message #6: DevKit updates # This is the commit message #7: DevKit updates # This is the commit message #8: DevKit updates # This is the commit message #9: DevKit updates # This is the commit message #10: DevKit updates # This is the commit message #11: DevKit updates # This is the commit message #12: restriction on sebastion/exporter # This is the commit message #13: fix composer.json # This is the commit message #14: use higher versions # This is the commit message #15: use higher version # This is the commit message #16: DevKit updates # This is the commit message #17: DevKit updates # This is the commit message #18: DevKit updates # This is the commit message #19: try verbose # This is the commit message #20: try testdox # This is the commit message #21: try makefile change # This is the commit message #22: try travis # This is the commit message #23: back # This is the commit message #24: restrict sebastianbergmann/environment # This is the commit message #25: restrict sebastianbergmann/environment # This is the commit message #26: try to turn around # This is the commit message #27: support symfony 3.4, new testing app folder structure # This is the commit message #28: support symfony 3.4, new testing app folder structure # This is the commit message #29: use caret operator for symfony-cmf/resource-bundle
* # This is a combination of 29 commits. # This is the 1st commit message: DevKit updates # This is the commit message #2: improvements to get the tests running # This is the commit message #3: try to call unit tests only # This is the commit message #4: DevKit updates # This is the commit message #5: add correct cache/log path to gitignor # This is the commit message #6: DevKit updates # This is the commit message #7: DevKit updates # This is the commit message #8: DevKit updates # This is the commit message #9: DevKit updates # This is the commit message #10: DevKit updates # This is the commit message #11: DevKit updates # This is the commit message #12: restriction on sebastion/exporter # This is the commit message #13: fix composer.json # This is the commit message #14: use higher versions # This is the commit message #15: use higher version # This is the commit message #16: DevKit updates # This is the commit message #17: DevKit updates # This is the commit message #18: DevKit updates # This is the commit message #19: try verbose # This is the commit message #20: try testdox # This is the commit message #21: try makefile change # This is the commit message #22: try travis # This is the commit message #23: back # This is the commit message #24: restrict sebastianbergmann/environment # This is the commit message #25: restrict sebastianbergmann/environment # This is the commit message #26: try to turn around # This is the commit message #27: support symfony 3.4, new testing app folder structure # This is the commit message #28: support symfony 3.4, new testing app folder structure # This is the commit message #29: use caret operator for symfony-cmf/resource-bundle * merge conflicts DevKit updates for master branch (#59) * DevKit updates * DevKit updates * merge conflicts fixes due to StyleCI fix symfony component version * re add packages after merging
If I don't miss something, this bundle allows everyone to request the API URLs. At this moment, it means one can retrieve all tree information, even from nodes that shouldn't be showed to other people.
Besides that, when we implement more things than just GET (#6), even more things will be provided to the hacker.
The text was updated successfully, but these errors were encountered: