FEATURE: isDescendantOfNodetype matcher

Neos.ContentRepository/Classes/Security/Authorization/Privilege/Node/Doctrine/ConditionGenerator.php

@@ -18,6 +18,7 @@
 use Neos\Flow\Security\Authorization\Privilege\Entity\Doctrine\ConditionGenerator as EntityConditionGenerator;
 use Neos\Flow\Security\Authorization\Privilege\Entity\Doctrine\DisjunctionGenerator;
 use Neos\Flow\Security\Authorization\Privilege\Entity\Doctrine\PropertyConditionGenerator;
+use Neos\Flow\Security\Authorization\Privilege\Entity\Doctrine\DecendantOfNodetypeConditionGenerator;
 use Neos\Flow\Security\Exception\InvalidPrivilegeException;
 use Neos\ContentRepository\Domain\Model\NodeData;
 use Neos\ContentRepository\Domain\Model\NodeInterface;
@@ -86,6 +87,17 @@ public function isDescendantNodeOf($nodePathOrIdentifier)
         return new DisjunctionGenerator([$propertyConditionGenerator1->like($nodePath . '/%'), $propertyConditionGenerator2->equals($nodePath)]);
     }
 
+    /**
+     * @param array $nodeTypes
+     * @return PropertyConditionGenerator
+     */
+    public function isDescendantOfNodetype($nodeTypes)
+    {
+        $propertyConditionGenerator1 = new DecendantOfNodetypeConditionGenerator($nodeTypes);
+
+        return $propertyConditionGenerator1;
+    }
+
     /**
      * @param string|array $nodeTypes
      * @return PropertyConditionGenerator

Neos.ContentRepository/Classes/Security/Authorization/Privilege/Node/NodePrivilegeContext.php

@@ -17,6 +17,7 @@
 use Neos\ContentRepository\Domain\Model\NodeInterface;
 use Neos\ContentRepository\Domain\Service\ContentDimensionPresetSourceInterface;
 use Neos\ContentRepository\Domain\Service\ContextFactory;
+use Neos\Eel\FlowQuery\FlowQuery;
 
 /**
  * An Eel context matching expression for the node privileges
@@ -104,6 +105,32 @@ public function isDescendantNodeOf($nodePathOrIdentifier)
         return substr($this->node->getPath() . '/', 0, strlen($nodePath)) === $nodePath;
     }
 
+    /**
+     *
+     * @param string|array $nodeTypes A single or an array of fully qualified NodeType name(s), e.g. "Neos.Neos:Document"
+     * @return boolean true if the given node matches otherwise false
+     */
+    public function isDescendantOfNodetype($nodeTypes)
+    {
+        if ($this->node === null) {
+            return true;
+        }
+        if (!is_array($nodeTypes)) {
+            $nodeTypes = [$nodeTypes];
+        }
+
+        foreach ($nodeTypes as $nodeType) {
+            $fq = new FlowQuery([$this->node]);
+
+            $counted = $fq->closest('[instanceof ' . $nodeType . ']')->count();
+
+            if ($counted > 0) {
+                return true;
+            }
+        }
+        return false;
+    }
+
     /**
      * Matches if the selected node is a *descendant* or *ancestor* of the given node specified by $nodePathOrIdentifier
      *

Neos.ContentRepository/Tests/Behavior/Features/Security/EditNodePrivilege.feature

@@ -13,6 +13,9 @@ Feature: Privilege to restrict editing of nodes
           'Neos.ContentRepository:EditEventNodes':
             matcher: 'isDescendantNodeOf("11d3aded-fb1a-70e7-1412-0b465b11fcd8")'
 
+          'Neos.ContentRepository:EditCollectionType':
+            matcher: 'isDescendantOfNodetype("Neos.ContentRepository.Testing:ContentCollection")'
+
       roles:
         'Neos.Flow:Everybody':
           privileges: []
@@ -31,6 +34,9 @@ Feature: Privilege to restrict editing of nodes
             -
               privilegeTarget: 'Neos.ContentRepository:EditEventNodes'
               permission: GRANT
+            -
+              privilegeTarget: 'Neos.ContentRepository:EditCollectionType'
+              permission: GRANT
       """
 
     And I have the following nodes:
@@ -40,6 +46,26 @@ Feature: Privilege to restrict editing of nodes
       | 68ca0dcd-2afb-ef0e-1106-a5301e65b8a0 | /sites/content-repository/company      | Neos.ContentRepository.Testing:Document | {"title": "Company"}                                   | live      |
       | 52540602-b417-11e3-9358-14109fd7a2dd | /sites/content-repository/service      | Neos.ContentRepository.Testing:Document | {"title": "Service"}                                   | live      |
       | 11d3aded-fb1a-70e7-1412-0b465b11fcd8 | /sites/content-repository/events       | Neos.ContentRepository.Testing:Document | {"title": "Events", "description": "Some cool event"}  | live      |
+      | d09c4e76-79c6-45d9-a12a-c1a06450329c | /sites/content-repository/service/collection           | Neos.ContentRepository.Testing:ContentCollection | {}                            | live      |
+      | 4f7230ba-36b2-4dc3-96fa-b4159371cd3b | /sites/content-repository/service/collection/text      | Neos.ContentRepository.Testing:Text              | {"text": "Cool text"}         | live      |
+
+  @Isolated @fixtures
+  Scenario: Anonymous users are not granted to edit childnodes on ContenCollection nodetypes
+    Given I am not authenticated
+    And I get a node by path "/sites/content-repository/service/collection/text" with the following context:
+      | Workspace  |
+      | user-admin |
+    Then I should not be granted to set the "text" property to "Even cooler text"
+    And I should get false when asking the node authorization service if editing this node is granted
+
+  @Isolated @fixtures
+  Scenario: Administrators are granted to edit childnodes on ContenCollection nodetypes
+    Given I am authenticated with role "Neos.ContentRepository:Administrator"
+    And I get a node by path "/sites/content-repository/service/collection/text" with the following context:
+      | Workspace  |
+      | user-admin |
+    Then I should be granted to set the "text" property to "Even cooler text"
+    And I should get true when asking the node authorization service if editing this node is granted
 
   @Isolated @fixtures
   Scenario: Anonymous users are granted to set properties on company node