2017 © Pedro Peláez
 

neos-package assetconstraints

Simple package to constraint access to Neos.Media assets based on tags, content type or asset collection

image

wwwision/assetconstraints

Simple package to constraint access to Neos.Media assets based on tags, content type or asset collection

  • Tuesday, October 17, 2017
  • by bwaidelich
  • Repository
  • 2 Watchers
  • 5 Stars
  • 49 Installations
  • PHP
  • 1 Dependents
  • 0 Suggesters
  • 3 Forks
  • 0 Open issues
  • 3 Versions
  • 69 % Grown

The README.md

Wwwision.AssetConstraints

Simple package to constraint access to Neos.Media assets based on tags, content type or asset collection, (*1)

NOTE: The functionality of this package has been ported to the Neos Core with version 3.3 in the meantime, (*2)

Usage

  1. Drop package into your (Neos) installation
  2. Add policies to your main package Policy.yaml
  3. Adjust Settings and NodeTypes configuration to your needs

Features

New Asset privileges:

This package comes with Entity Privileges allowing to restrict reading of Assets based on several attributes:, (*3)

Restrict read access to Assets based on their media type

Policy.yaml:, (*4)

privilegeTargets:
  'Wwwision\AssetConstraints\Security\Authorization\Privilege\ReadAssetPrivilege':
    'Some.Package:ReadAllPDFs':
      matcher: 'hasMediaType("application/pdf")'

Restrict read access to Assets based on Tag

Policy.yaml:, (*5)

privilegeTargets:
  'Wwwision\AssetConstraints\Security\Authorization\Privilege\ReadAssetPrivilege':
    'Some.Package:ReadConfidentialAssets':
      matcher: 'isTagged("confidential")'

Restrict read access to Assets based on Asset Collection

Policy.yaml:, (*6)

privilegeTargets:
  'Wwwision\AssetConstraints\Security\Authorization\Privilege\ReadAssetPrivilege':
    'Some.Package:ReadSpecialAssets':
      matcher: 'isInCollection("some-collection")'

Of course you can combine the three matchers like:, (*7)

privilegeTargets:
  'Wwwision\AssetConstraints\Security\Authorization\Privilege\ReadAssetPrivilege':
    'Some.Package:ReadConfidentialPdfs':
      matcher: 'hasMediaType("application/pdf") && isTagged("confidential")'

Restrict read access to Tags based on Tag label

Policy.yaml:, (*8)

privilegeTargets:
  'Wwwision\AssetConstraints\Security\Authorization\Privilege\ReadTagPrivilege':
    'Some.Package:ReadConfidentialTags':
      matcher: 'isLabeled("confidential")'

Restrict read access to Asset Collections based on Collection title

Policy.yaml:, (*9)

privilegeTargets:
  'Wwwision\AssetConstraints\Security\Authorization\Privilege\ReadAssetCollectionPrivilege':
    'Some.Package:ReadSpecialAssetCollection':
      matcher: 'isTitled("some-collection")'

Custom Editors to set Asset Collection based on node properties:

When uploading new Assets using the Neos inspector, they will be added to the current site's default Asset Collection if one is configured in the Sites Management module., (*10)

Unfortunately this mechanism is not (yet) flexible enough to set the collection based on other characteristics (the currently selected node for example)., (*11)

This package therefore adds two specialized Inspector editors for Asset/Image uploads that send the current node along with the upload-data to the server. Besides it hooks into the asset creation process (via AOP) to add the uploaded Asset to an Asset Collection based on the current node., (*12)

The default behavior is to grab the closest document node, evaluate it's "assetCollection" and adds the Asset to that collection if it succeeded., (*13)

This package also comes with a DataSource to allow for selecting the AssetCollection., (*14)

Adding "assetCollection" property to all Document nodes:

NodeTypes.yaml:, (*15)

'Neos.Neos:Document':
  ui:
    inspector:
      groups:
        'assets':
          label: 'Assets'
  properties:
    'assetCollection':
      ui:
        label: 'Asset Collection'
        inspector:
          group: 'assets'
          editor: 'Content/Inspector/Editors/SelectBoxEditor'
          editorOptions:
            dataSourceIdentifier: 'wwwision-assetconstraints-assetcollections'
            allowEmpty: true
            placeholder: 'Asset Collection for uploads'

NOTE: Usually you don't want to add a property to all Document nodes (including shortcuts, ...) but to a more specific node type such as Your.Package:Page., (*16)

Adjusting the behavior of the AOP aspect:

As mentioned above, the default behavior of the AOP aspect is to check for a property called "assetCollection" in the closest Neos.Neos:Document node of the node the asset was uploaded to., (*17)

This can be adjusted via Settings. Imagine you have a custom node type Your.Package:MainPage that contains the target assetCollection in a property "collection":, (*18)

Settings.yaml:, (*19)

Wwwision:
  AssetConstraints:
    nodeLookup:
      nodeFilter: '[instanceof Your.Package:MainPage]'
      propertyName: 'collection'

Example Policy

Given you have three "groups" and corresponding roles Some.Package:Group1Editor, Some.Package:Group2Editor and Some.Package:Group3Editor as well as an administrative role ``Some.Package:Administrator`., (*20)

Now, if you have three "Asset Collections" named group1, group2 and group3 the following Policy.yaml would restrict editors to only see collections and assets corresponding to their role:, (*21)

privilegeTargets:

  'Wwwision\AssetConstraints\Security\Authorization\Privilege\ReadAssetPrivilege':

    'Some.Package:Group1.ReadAssets':
      matcher: 'isInCollection("group1")'
    'Some.Package:Group2.ReadAssets':
      matcher: 'isInCollection("group2")'
    'Some.Package:Group3.ReadAssets':
      matcher: 'isInCollection("group3")'

  'Wwwision\AssetConstraints\Security\Authorization\Privilege\ReadAssetCollectionPrivilege':

    'Some.Package:Group1.ReadCollections':
      matcher: 'isTitled("group1")'
    'Some.Package:Group2.ReadCollections':
      matcher: 'isTitled("group2")'
    'Some.Package:Group3.ReadCollections':
      matcher: 'isTitled("group3")'

roles:

  'Your.Package:Administrator':
    privileges:
      -
        privilegeTarget: 'Some.Package:Group1.ReadAssets'
        permission: GRANT
      -
        privilegeTarget: 'Some.Package:Group1.ReadCollections'
        permission: GRANT
      -
        privilegeTarget: 'Some.Package:Group2.ReadAssets'
        permission: GRANT
      -
        privilegeTarget: 'Some.Package:Group2.ReadCollections'
        permission: GRANT
      -
        privilegeTarget: 'Some.Package:Group3.ReadAssets'
        permission: GRANT
      -
        privilegeTarget: 'Some.Package:Group3.ReadCollections'
        permission: GRANT

  'Your.Package:Group1Editor':
    privileges:
      -
        privilegeTarget: 'Some.Package:Group1.ReadAssets'
        permission: GRANT
      -
        privilegeTarget: 'Some.Package:Group1.ReadCollections'
        permission: GRANT

  'Your.Package:Group2Editor':
    privileges:
      -
        privilegeTarget: 'Some.Package:Group2.ReadAssets'
        permission: GRANT
      -
        privilegeTarget: 'Some.Package:Group2.ReadCollections'
        permission: GRANT

  'Your.Package:Group3Editor':
    privileges:
      -
        privilegeTarget: 'Some.Package:Group3.ReadAssets'
        permission: GRANT
      -
        privilegeTarget: 'Some.Package:Group3.ReadCollections'
        permission: GRANT

Credits

The development of this package was kindly sponsored by Web Essentials!, (*22)

The Versions

17/10 2017

dev-master

9999999-dev

Simple package to constraint access to Neos.Media assets based on tags, content type or asset collection

  Sources   Download

GPL-3.0+

The Requires

 

by Bastian Waidelich

17/10 2017

v0.5.0

0.5.0.0

Simple package to constraint access to Neos.Media assets based on tags, content type or asset collection

  Sources   Download

GPL-3.0+

The Requires

 

by Bastian Waidelich

09/08 2017

v0.1.0

0.1.0.0

Simple package to constraint access to TYPO3.Media assets based on tags, content type or asset collection

  Sources   Download

GPL-3.0+

The Requires

 

by Bastian Waidelich