There is a security implication: some intranet sites may be protected only by VHost - which is actually a bad practice. Due to this fact we need to introduce VHost config with a list of allowed projects (media projects)
mediaService.scope = <project1:draft>, <project2>
If not specified:
For endpoint mount limit the project to the one specified in site's path (allow from self) /(admin)/site/<project>/<branch>/site-path/_/media/.../<project>(:branch))
For Slash API - allow any project and branch.
Note that content permissions will further limit the access to specific media.
There is a security implication: some intranet sites may be protected only by VHost - which is actually a bad practice. Due to this fact we need to introduce VHost config with a list of allowed projects (media projects)
mediaService.scope = <project1:draft>, <project2>
If not specified:
For endpoint mount limit the project to the one specified in site's path (allow from self)
/(admin)/site/<project>/<branch>/site-path/_/media/.../<project>(:branch))
For Slash API - allow any project and branch.
Note that content permissions will further limit the access to specific media.