Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Define rights management for access #103

Open
ninaeberle opened this issue Nov 3, 2021 · 1 comment
Open

Define rights management for access #103

ninaeberle opened this issue Nov 3, 2021 · 1 comment
Labels
Feature Request

Comments

@ninaeberle
Copy link

Description

In order to restrict the access to the files for certain departments, a regulated rights management with certain levels would be a possibility to improve the module.

Steps to Reproduce

  1. Go to the new Media Module
  2. As an administrator I can set who has access to the assets and select between different stages

Expected behavior

It can be set who is granted access to which files.

Actual behavior

In the current module no rights management for the access for certain assets are available.

Affected Versions

Neos:*

UI:*

Media Module:*

You can get this information by running composer show or using the package management module within Neos.
@tdausner
Copy link

IMHO this is covered by privilegeTargets

  • Neos\Media\Security\Authorization\Privilege\ReadAssetPrivilege -> matcher isInCollection()
  • Neos\Media\Security\Authorization\Privilege\ReadAssetCollectionPrivilege -> matcher isTitled()

Policy.yaml

privilegeTargets:
  'Neos\Media\Security\Authorization\Privilege\ReadAssetPrivilege':
    'First.Group:AssetRead':
      label: 'First privilege group asset access'
      matcher: 'isInCollection("FirstCollection")'
    'Second.Group:AssetRead':
      label: 'Second privilege groupasset access'
      matcher: 'isInCollection("SecondCollection")'

  'Neos\Media\Security\Authorization\Privilege\ReadAssetCollectionPrivilege':
    'First.Group:AssetCollection':
      label: 'First privilege group asset collection access'
      matcher: 'isTitled("FirstCollection")'
    'Second.Group:AssetCollection':
      label: 'Second privilege group asset collection access'
      matcher: 'isTitled("SecondCollection")'

roles:
  'First.Role:FirstAssets':
    label: 'First role asset access'
    description: 'Access to First-Assets'
    parentRoles: ['Neos.Neos:Editor']
    privileges:
      -
        privilegeTarget: 'First.Group:AssetRead'
        permission: GRANT
      -
        privilegeTarget: 'First.Group:AssetCollection'
        permission: GRANT
  'Second.Role:FirstAssets':
    label: 'Second role asset access'
    description: 'Access to Second-Assets'
    parentRoles: ['Neos.Neos:Editor']
    privileges:
      -
        privilegeTarget: 'Second.Group:AssetRead'
        permission: GRANT
      -
        privilegeTarget: 'Second.Group:AssetCollection'
        permission: GRANT
  1. An asset manager defines collections FirstCollection and SecondCollection for different privileged groups
  2. The asset manager reads in assets into the corresponding collections
  3. A user manager assigns roles First role asset access and/or Second role asset access to users

This works with the old media module as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature Request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Sebobo @tdausner @ninaeberle