media-ui icon indicating copy to clipboard operation
media-ui copied to clipboard
verified publisher icon Flowpack

Define rights management for access

Open ninaeberle opened this issue 4 years ago • 1 comments

Description

In order to restrict the access to the files for certain departments, a regulated rights management with certain levels would be a possibility to improve the module.

Steps to Reproduce

  1. Go to the new Media Module
  2. As an administrator I can set who has access to the assets and select between different stages

Expected behavior

It can be set who is granted access to which files.

Actual behavior

In the current module no rights management for the access for certain assets are available.

Affected Versions

Neos:*

UI:*

Media Module:*

You can get this information by running composer show or using the package management module within Neos.

ninaeberle avatar Nov 03 '21 11:11 ninaeberle

IMHO this is covered by privilegeTargets

  • Neos\Media\Security\Authorization\Privilege\ReadAssetPrivilege -> matcher isInCollection()
  • Neos\Media\Security\Authorization\Privilege\ReadAssetCollectionPrivilege -> matcher isTitled()

Policy.yaml

privilegeTargets:
  'Neos\Media\Security\Authorization\Privilege\ReadAssetPrivilege':
    'First.Group:AssetRead':
      label: 'First privilege group asset access'
      matcher: 'isInCollection("FirstCollection")'
    'Second.Group:AssetRead':
      label: 'Second privilege groupasset access'
      matcher: 'isInCollection("SecondCollection")'

  'Neos\Media\Security\Authorization\Privilege\ReadAssetCollectionPrivilege':
    'First.Group:AssetCollection':
      label: 'First privilege group asset collection access'
      matcher: 'isTitled("FirstCollection")'
    'Second.Group:AssetCollection':
      label: 'Second privilege group asset collection access'
      matcher: 'isTitled("SecondCollection")'

roles:
  'First.Role:FirstAssets':
    label: 'First role asset access'
    description: 'Access to First-Assets'
    parentRoles: ['Neos.Neos:Editor']
    privileges:
      -
        privilegeTarget: 'First.Group:AssetRead'
        permission: GRANT
      -
        privilegeTarget: 'First.Group:AssetCollection'
        permission: GRANT
  'Second.Role:FirstAssets':
    label: 'Second role asset access'
    description: 'Access to Second-Assets'
    parentRoles: ['Neos.Neos:Editor']
    privileges:
      -
        privilegeTarget: 'Second.Group:AssetRead'
        permission: GRANT
      -
        privilegeTarget: 'Second.Group:AssetCollection'
        permission: GRANT
  1. An asset manager defines collections FirstCollection and SecondCollection for different privileged groups
  2. The asset manager reads in assets into the corresponding collections
  3. A user manager assigns roles First role asset access and/or Second role asset access to users

This works with the old media module as well.

tdausner avatar Dec 12 '22 20:12 tdausner