FEATURE: isDescendantOfNodetype matcher

Neos.ContentRepository/Classes/Security/Authorization/Privilege/Node/Doctrine/ConditionGenerator.php

@@ -18,6 +18,7 @@
 use Neos\Flow\Security\Authorization\Privilege\Entity\Doctrine\ConditionGenerator as EntityConditionGenerator;
 use Neos\Flow\Security\Authorization\Privilege\Entity\Doctrine\DisjunctionGenerator;
 use Neos\Flow\Security\Authorization\Privilege\Entity\Doctrine\PropertyConditionGenerator;
+use Neos\Flow\Security\Authorization\Privilege\Entity\Doctrine\DecendantOfNodetypeConditionGenerator;
 use Neos\Flow\Security\Exception\InvalidPrivilegeException;
 use Neos\ContentRepository\Domain\Model\NodeData;
 use Neos\ContentRepository\Domain\Model\NodeInterface;
@@ -86,6 +87,17 @@ public function isDescendantNodeOf($nodePathOrIdentifier)
  return new DisjunctionGenerator([$propertyConditionGenerator1->like($nodePath . '/%'), $propertyConditionGenerator2->equals($nodePath)]);
  }
 
+ /**
+ * @param array $nodeTypes
+ * @return PropertyConditionGenerator
+ */
+ public function isDescendantOfNodetype($nodeTypes)
+ {
+ $propertyConditionGenerator1 = new DecendantOfNodetypeConditionGenerator($nodeTypes);
+
+ return $propertyConditionGenerator1;
+ }
+
  /**
  * @param string|array $nodeTypes
  * @return PropertyConditionGenerator

Neos.ContentRepository/Classes/Security/Authorization/Privilege/Node/NodePrivilegeContext.php

@@ -17,6 +17,7 @@
 use Neos\ContentRepository\Domain\Model\NodeInterface;
 use Neos\ContentRepository\Domain\Service\ContentDimensionPresetSourceInterface;
 use Neos\ContentRepository\Domain\Service\ContextFactory;
+use Neos\Eel\FlowQuery\FlowQuery;
 
 /**
  * An Eel context matching expression for the node privileges
@@ -104,6 +105,32 @@ public function isDescendantNodeOf($nodePathOrIdentifier)
  return substr($this->node->getPath() . '/', 0, strlen($nodePath)) === $nodePath;
  }
 
+ /**
+ *
+ * @param string|array $nodeTypes A single or an array of fully qualified NodeType name(s), e.g. "Neos.Neos:Document"
+ * @return boolean true if the given node matches otherwise false
+ */
+ public function isDescendantOfNodetype($nodeTypes)
+ {
+ if ($this->node === null) {
+ return true;
+ }
+ if (!is_array($nodeTypes)) {
+ $nodeTypes = [$nodeTypes];
+ }
+
+ foreach ($nodeTypes as $nodeType) {
+ $fq = new FlowQuery([$this->node]);
+
+ $counted = $fq->closest('[instanceof ' . $nodeType . ']')->count();
+
+ if ($counted > 0) {
+ return true;
+ }
+ }
+ return false;
+ }
+
  /**
  * Matches if the selected node is a *descendant* or *ancestor* of the given node specified by $nodePathOrIdentifier
  *

Neos.ContentRepository/Tests/Behavior/Features/Security/EditNodePrivilege.feature

@@ -13,6 +13,9 @@ Feature: Privilege to restrict editing of nodes
  'Neos.ContentRepository:EditEventNodes':
  matcher: 'isDescendantNodeOf("11d3aded-fb1a-70e7-1412-0b465b11fcd8")'
 
+ 'Neos.ContentRepository:EditCollectionType':
+ matcher: 'isDescendantOfNodetype("Neos.ContentRepository.Testing:ContentCollection")'
+
  roles:
  'Neos.Flow:Everybody':
  privileges: []
@@ -31,6 +34,9 @@ Feature: Privilege to restrict editing of nodes
  -
  privilegeTarget: 'Neos.ContentRepository:EditEventNodes'
  permission: GRANT
+ -
+ privilegeTarget: 'Neos.ContentRepository:EditCollectionType'
+ permission: GRANT
  """
 
  And I have the following nodes:
@@ -40,6 +46,26 @@ Feature: Privilege to restrict editing of nodes
  | 68ca0dcd-2afb-ef0e-1106-a5301e65b8a0 | /sites/content-repository/company | Neos.ContentRepository.Testing:Document | {"title": "Company"} | live |
  | 52540602-b417-11e3-9358-14109fd7a2dd | /sites/content-repository/service | Neos.ContentRepository.Testing:Document | {"title": "Service"} | live |
  | 11d3aded-fb1a-70e7-1412-0b465b11fcd8 | /sites/content-repository/events | Neos.ContentRepository.Testing:Document | {"title": "Events", "description": "Some cool event"} | live |
+ | d09c4e76-79c6-45d9-a12a-c1a06450329c | /sites/content-repository/service/collection | Neos.ContentRepository.Testing:ContentCollection | {} | live |
+ | 4f7230ba-36b2-4dc3-96fa-b4159371cd3b | /sites/content-repository/service/collection/text | Neos.ContentRepository.Testing:Text | {"text": "Cool text"} | live |
+
+ @Isolated @fixtures
+ Scenario: Anonymous users are not granted to edit childnodes on ContenCollection nodetypes
+ Given I am not authenticated
+ And I get a node by path "/sites/content-repository/service/collection/text" with the following context:
+ | Workspace |
+ | user-admin |
+ Then I should not be granted to set the "text" property to "Even cooler text"
+ And I should get false when asking the node authorization service if editing this node is granted
+
+ @Isolated @fixtures
+ Scenario: Administrators are granted to edit childnodes on ContenCollection nodetypes
+ Given I am authenticated with role "Neos.ContentRepository:Administrator"
+ And I get a node by path "/sites/content-repository/service/collection/text" with the following context:
+ | Workspace |
+ | user-admin |
+ Then I should be granted to set the "text" property to "Even cooler text"
+ And I should get true when asking the node authorization service if editing this node is granted
 
  @Isolated @fixtures
  Scenario: Anonymous users are granted to set properties on company node