Access Control

[kstapelfeldt]

(Respecting to the File level)

[kstapelfeldt]

Problem

Need to replicate the functionality of Islandora 7x in the Islandora 2.0 stack

• Restrict access based on roles and permissions at node, collection, media level (Cascade permissions where required - When we restrict media, we need to cascade this to file level)
• Respect access restrictions in views, solr, triplestore

Resources

• https://www.drupal.org/project/permissions_by_term
• https://seth-shaw-unlv.github.io/2021-02-19/content_access_control
• https://www.youtube.com/watch?v=tKQIdYjsVDo

Research

• Flysystem provides https://flysystem.thephpleague.com/v2/docs/visibility/ to assign permissions to files. Would this work with Permissions by Term?
• Is there a way to meaningfully resolve the performance issues that have been identified by the community? (Need to replicate the problems). Can we ignore the permissions checking on the view and rely on view switching based on role?

[kstapelfeldt]

https://www.drupal.org/project/content_access

[kstapelfeldt]

https://www.drupal.org/project/acl

[kstapelfeldt]

https://www.drupal.org/node/270000

[kstapelfeldt]

This module has some inheritance features that might be valuable to review: https://www.drupal.org/project/access_by_ref

[kylehuynh205]

Drupal Private file system approach:

• Switch File system to private at http://d9.dsu-pp.server.utsc.utoronto.ca/admin/config/media/file-system
• Set Private File directory at /var/www/D9-test/web/sites/default/private_files
• Set File Directory with token:
  • ie: audio/[random:number] at http://d9.dsu-pp.server.utsc.utoronto.ca/admin/structure/media/manage/audio/fields/media.audio.field_media_audio_file

Demo in PP (VPN on):

By default, the following media are private. the below links are "Access denied" (without login):

File Link	In Node level
Audio file directed link	http://d9.dsu-pp.server.utsc.utoronto.ca/node/4
PDF file directed link	http://d9.dsu-pp.server.utsc.utoronto.ca/node/2
Video file directed link	http://d9.dsu-pp.server.utsc.utoronto.ca/node/3
Image file directed link	http://d9.dsu-pp.server.utsc.utoronto.ca/node/4

To flip private to public,

• Visit at http://d9.dsu-pp.server.utsc.utoronto.ca/admin/config/media/private-files-download-permission, each row is configuring the access control for each media above.

• Visit each row at Edit directory button and set Enabled Users and Enable Roles

Assessment

Pro: everything configuration is in the UI, little cmd involved.

Con: The module https://www.drupal.org/project/private_files_download_permission use hook_file_download to check permission of the file, and return a BinaryFileResponse which is a Response Object contains a SplFileInfo File object. With this factor, the loading performance maybe effected if the file is big, or a view contains many objects, or Searching functionality.

TODO:

If we decide to go with this approach, the next development piece is automate the process of add directory the table above.

[kylehuynh205]

Flysystem Local Adapter Approach:

How to setup:

• Install Flysystem composer require 'drupal/flysystem:^2.0@beta'
• Enable the module
• In web/sites/defaults/settings added :

$settings['flysystem'] = [
  'local' => [ // The name of the stream wrapper.
    'driver' => 'local', // The plugin key.
    'config' => [
      'root' => 'sites/default/flysystem',
      'public' => TRUE,
      'name' => 'islandora_lite', // Defaults to Flysystem: scheme.
      'description' => 'islandora_lite',  // Defaults to Flysystem: scheme.
      'cache' => TRUE, // Cache filesystem metadata. Not necessary for
      'replicate' => 'ftpexample', // 'replicate' writes to both filesystems, but
      'serve_js' => TRUE, // Serve Javascript or CSS via this stream wrapper.
      'serve_css' => TRUE, // This is useful for adapters that function as
    ],
  ],
]

• In web/sites/default, create directory call flysystem

• In /admin/structure/media, in each media type, select operation Manage field, Select any File Field, and choose Upload Destination as "Flysystem: local" (as screenshot below). Live Demo

  

• Then select Edit mode change File Directory to something like audio/[random:number]. which will enforce audio file uploaded to sites/default/flysystem/audio/[random number]/.... (Live Demo)

Usage: To apply Private or Public mode to a file, according to Flysystem API at https://flysystem.thephpleague.com/v2/docs/adapter/local/, use command line to change permission:

• Upon directory: chmod 7604 web/sites/default/flysystem/video/599725582 ==> Works, with Access denied at http://d9.dsu-pp.server.utsc.utoronto.ca/sites/default/flysystem/video/599725582/test.mp4 (in Incognito Chrome), still access if logged in.
• Upon file: chmod 0604 web/sites/default/flysystem/audio/1069098879/file_example_MP3_5MG.mp3 ==> Not work, still be able to access the file direct link http://d9.dsu-pp.server.utsc.utoronto.ca/sites/default/flysystem/audio/1069098879/file_example_MP3_5MG.mp3

==> To be implement: Need to organize files uploaded for media in a directory (ie. named with media ID), then set 7604 for private and 0740 for public.

Assessment:

Pro:

• For Local purpose, the module use similar hook hook_file_download, but it only checks on the permission of the file then grant access.
• Beyond Local Drupal storage purpose: If we decide to use remote storage for example Fedora and Openstack Swift, there are already available adapters can be used.

Con: No interface available, use more in command-line

[kylehuynh205]

Embargos (alternative to Permission by term):

Example: http://d9.dsu-pp.server.utsc.utoronto.ca/node/5/embargoes

Add embargos to the above node:

• on FIles: Not work: direct link to file can be still be accessed (For Islandora lite stack, but for Islandora stack, it works). However, still need to switch over to Drupal private file system to protect the thumbnails.

• on Node: Works, http://d9.dsu-pp.server.utsc.utoronto.ca/node/5 will get "Access Denied"

[kstapelfeldt]

Drupal groups seems to provide a solution, but we need to be able to hide selected media (putting media in groups)

[kylehuynh205]

Found that File Entity and Group have a conflict on handling the access control for Private File system.

• File entity has its own permission regards to Private files in /admin/people/permissions.

• Group module has its own handler for Private files. If we make a group which allow anonymous user to view file. in /group/{{ group ID }}/permissions

In fact, we use the File Entity module for Fits. so it usually comes to our sites by default (if the sites needs Fits). If we also use Group to handle more use cases for access control in the same sites, these two module can cause the conflict. To solve that, have to cancel Access control handler in File Entity with this manual fix (for now):

• comment out the line ->setAccessClass('Drupal\file_entity\FileEntityAccessControlHandler') under the function file_entity_entity_type_alter(&$entity_types) at line 163 of file_entity.module

UPDATE:

Solve the issue with a patch: https://github.com/digitalutsc/override_permission_file_entity

[kylehuynh205]

Deployment has been built into installation process: https://github.com/digitalutsc/islandora_lite_installation/blob/main/scripts/access_control.sh

[kylehuynh205]

Include this in the config sync deployment