Some issues in BeechIt\FalSecuredownload\Security\CheckPermissions->getPermissions(ResourceInterface $resource)
Go up the rootline
The break statement in the foreach loop should only be executed if $feGroups comtains at least one element. Otherwise the loop should continue until a group is found or the rootline ends.
Only the file has resource group(s) assigned
If a file resource has a fe_group assigned but not any folder in the rootline, $feGroups will obviousely be empty before and after ArrayUtility::keepItemsInArray().
In such a case the fe_groups of the file resource have to be overtaken directly.
Take care of group inheritance?
Imagine groups inside $feGroups are subgroups of other groups. So those other groups should also be granted access. So $feGroups should be enriched by these other groups. And this should be done for both - the $feGroups of the folder and for the file resource - before they are merged together with ArrayUtility::keepItemsInArray().
Contradictory fe_groups?
Assume the foreach loop ends with some groups inside $feGroups, but the fe_groups of the file resource does not fit to them.
In this case $feGroups will be empty after keepItemsInArray() although there has been a secured folder and file. But an empty $feGroups means access for everyone. This is not good for the security.
In such a case it would be better nobody has access. I purpose to take the current timestamp as fe_group in such a case.
But:
solrfal will kick out this nonexisting group. So I'll leave it as it is for now :-(
I'll fork the GitHub repository and create a pull request for issues 1-3.
Some issues in BeechIt\FalSecuredownload\Security\CheckPermissions->getPermissions(ResourceInterface $resource)
Go up the rootline The break statement in the foreach loop should only be executed if $feGroups comtains at least one element. Otherwise the loop should continue until a group is found or the rootline ends.
Only the file has resource group(s) assigned If a file resource has a fe_group assigned but not any folder in the rootline, $feGroups will obviousely be empty before and after ArrayUtility::keepItemsInArray(). In such a case the fe_groups of the file resource have to be overtaken directly.
Take care of group inheritance? Imagine groups inside $feGroups are subgroups of other groups. So those other groups should also be granted access. So $feGroups should be enriched by these other groups. And this should be done for both - the $feGroups of the folder and for the file resource - before they are merged together with ArrayUtility::keepItemsInArray().
Contradictory fe_groups? Assume the foreach loop ends with some groups inside $feGroups, but the fe_groups of the file resource does not fit to them. In this case $feGroups will be empty after keepItemsInArray() although there has been a secured folder and file. But an empty $feGroups means access for everyone. This is not good for the security. In such a case it would be better nobody has access. I purpose to take the current timestamp as fe_group in such a case. But: solrfal will kick out this nonexisting group. So I'll leave it as it is for now :-(
I'll fork the GitHub repository and create a pull request for issues 1-3.
Greetings Harald