Extend ReadAssetPrivilege and ReadAssetCollectionPrivilege to work with nested collections

Question

Extend ReadAssetPrivilege and ReadAssetCollectionPrivilege to work with nested collections

lorenzulrich opened this issue 9 months ago · 1 comments

In absence of better alternatives, Asset Collections are used to provide separate file management in a multi-site installation. Example:

privilegeTargets:
  'Neos\Media\Security\Authorization\Privilege\ReadAssetPrivilege':
    'FoobarCom.Site.Corporate:Assets':
      matcher: 'isInCollection("Corporate")'
  'Neos\Media\Security\Authorization\Privilege\ReadAssetCollectionPrivilege':
    'FoobarCom.Site.Corporate:AssetCollection':
      matcher: 'isTitled("Corporate")'

Using the new Media UI, we can use nested collections to have a folder-like file management. In this case, if an asset is placed in a "sub asset collection" that is not covered by a privilege, it is available to all users. It also leads to an error described at #231.

Requirement

In my opinion, we need a new privilege or matcher that checks permissions recursively. So if an Asset is in a collection being a parent of a protected collection (e.g. "Corporate" as in the example above), permission should be denied.

Affected Versions

Neos: 8.3
Media Module: 1.0

Answer 1 · 2024-02-22T10:26:59.000Z

Hi Lorenz,

I'm making good progress with the feature, and will publish the branch for testing later today.