WIP: FEATURE: Content Repository Privileges

[bwaidelich]

Related: #3732

[bwaidelich]

does it make sense to check the privileges here already?

[skurfuerst]

I would say yes (if we can, like it is done here). Ofc people could work around this if they manually instanciated ContentSubgraph; but we could never prevent this.

[bwaidelich]

rename to sth like $this->privilegeProvider->isFetchingOfNodesAllowedInSubgraph($contentStreamId, $dimensionSpacePoint) (consider using result object for more context)

[bwaidelich]

This is missing the "restriction edge attributes" still

[bwaidelich]

(see #4557 -> but they will be called node tags as discussed)

[bwaidelich]

Rename to sth like ReadPrivileges

[bwaidelich]

The PrivilegeProvider currently has a dependency to...

• the UserIdProvider to load policies of the authenticated user
• the ContentRepositoryRegistry to retrieve ContentStreams for the user (via WorkspaceFinder)..

This is nasty

[skurfuerst]

UserIdProvider is fine IMHO, ContentRepositoryRegistry should go away. What about making the $contentRepository available to the provider at runtime? would IMHO be easier and more consistent.

[bwaidelich]

@skurfuerst can you clarify what you mean by "available [...] at runtime"? A parameter of the PrivilegeProvider::getPrivileges() method? But than the ContentGraph would need to pass it

[skurfuerst]

yep, that's what I thought - similar to what we did in the command handlers. But you are right, the projection does not know it yet...

[bwaidelich]

Not really a FakePrivilegeProvider but a first implementation to test content stream access

[bwaidelich]

This won't necessarily return the actual user workspace, but any shared workspace with the same owner.
Also this won't include base workspaces currently

[skurfuerst]

dangerous code - people without user workspace will automatically be admins. let's discuss :)

[bwaidelich]

hehe, good catch. That can't stay like this ofc

[skurfuerst]

really really cool ❤️ ❤️ ❤️ ❤️

[skurfuerst]

I would say yes (if we can, like it is done here). Ofc people could work around this if they manually instanciated ContentSubgraph; but we could never prevent this.

[skurfuerst]

what is the semantics of having both of these lists? :) I don't fully understand this yet.

[bwaidelich]

Me neither :)
But I thought, that might need both. an allow list and a deny list..

[bwaidelich]

Looking at this after a break, I think the terms "allowed" and "disallowed" are not helpful.
i.e. what does $privileges->isContentStreamAllowed($contentStreamId) exactly mean?

Also we should re-evaluate whether we really need allow- and deny list

[skurfuerst]

Hm, I am not so sure about this one - IMHO this must be done lazily (otherwise we could under some scenarios have REALLY long lists of contentStreamIds; where only a single one will be relevant here)

[bwaidelich]

isn't it just the currently active Content Streams of the user workspace (and its base workspace(s))?

[bwaidelich]

rename to sth. that makes clearer that this is about filtering nodes

[skurfuerst]

UserIdProvider is fine IMHO, ContentRepositoryRegistry should go away. What about making the $contentRepository available to the provider at runtime? would IMHO be easier and more consistent.

[skurfuerst]

dangerous code - people without user workspace will automatically be admins. let's discuss :)

[bwaidelich]

A couple of ideas @skurfuerst and I just came up with:

We should change the PrivilegeProviderInterface to a more functional interface like:

interface PrivilegeProviderInterface {

    public function isFetchingOfNodesAllowedInSubgraph(ContentStreamId $contentStreamId, DimensionSpacePoint $dimensionSpacePoint): PrivilegeResult;

    public function isCommandAllowed(CommandInterface $command): PrivilegeResult;

}

(potentially split into two individual interfaces)
The PrivilegeResult (better name to be found) is basically a boolean + x (e.g. some context on why s.th. is not allowed).

This should make it possible to deal with all 4 security related categories we came up with:

1. Prevent certain commands to be handled

This could be enforced with a single call to the PrivilegeProviderInterface::isCommandAllowed() inside ContentRepository::handle()

Examples

• Prevent anonymous user from altering nodes
• Prevent user X from altering nodes in workspace of user Y
• Allow role X alter only content underneath nodes with a certain tag (e.g. NewsArea)

1a. Determine whether a certain command is allowed

This would not be part of the core itself – Instead the surrounding framework (e.g. Neos) could call their implementation of the isCommandAllowed() method.
That approach might not be feasible – it's up to the implementation to decide

Examples

• Can Node X moved to Node Y (might be dependent on the node tags)

2. Hide certain nodes depending on the context

This will be enforced via "Subtree Tags" (#4550).
Deciding which tags are allowed in the VisibilityConstraints would not be a responsibility of the CR

Examples

• Hide disabled nodes in frontend
• Hide nodes within some "member" area tag in frontend

3. Hide UI elements depending on the context

Like above this would not be a concern of the CR

Examples

• Hide "disable" button if the corresponding command is not allowed for the authenticated user

[bwaidelich]

Closing in favor of #5298