search

Flowpack / media-ui

The development repository for the new Neos media management interface
GNU General Public License v3.0
20 stars 16 forks source link

Extend ReadAssetPrivilege and ReadAssetCollectionPrivilege to work with nested collections #232

Closed lorenzulrich closed 7 months ago

lorenzulrich commented 7 months ago

In absence of better alternatives, Asset Collections are used to provide separate file management in a multi-site installation. Example:

privilegeTargets:
  'Neos\Media\Security\Authorization\Privilege\ReadAssetPrivilege':
    'FoobarCom.Site.Corporate:Assets':
      matcher: 'isInCollection("Corporate")'
  'Neos\Media\Security\Authorization\Privilege\ReadAssetCollectionPrivilege':
    'FoobarCom.Site.Corporate:AssetCollection':
      matcher: 'isTitled("Corporate")'

Using the new Media UI, we can use nested collections to have a folder-like file management. In this case, if an asset is placed in a "sub asset collection" that is not covered by a privilege, it is available to all users. It also leads to an error described at https://github.com/Flowpack/media-ui/issues/231.

Requirement

In my opinion, we need a new privilege or matcher that checks permissions recursively. So if an Asset is in a collection being a parent of a protected collection (e.g. "Corporate" as in the example above), permission should be denied.

Affected Versions

Neos: 8.3 Media Module: 1.0

Sebobo commented 7 months ago

Hi Lorenz,

I'm making good progress with the feature, and will publish the branch for testing later today.