Asset Privileges
Introduction
Asset privileges allows assets to be restricted based on authenticated roles. This package comes with the following privileges:
Restrict read access to Assets based on their media type
privilegeTargets:
'Neos\Media\Security\Authorization\Privilege\ReadAssetPrivilege':
'Some.Package:ReadAllPDFs':
matcher: 'hasMediaType("application/pdf")'
Restrict read access to Assets based on Tag
privilegeTargets:
'Neos\Media\Security\Authorization\Privilege\ReadAssetPrivilege':
'Some.Package:ReadConfidentialAssets':
matcher: 'isTagged("confidential")'
Restrict read access to Assets based on Asset Collection
privilegeTargets:
'Neos\Media\Security\Authorization\Privilege\ReadAssetPrivilege':
'Some.Package:ReadSpecialAssets':
matcher: 'isInCollection("some-collection")'
Of course you can combine the three matchers like:
privilegeTargets:
'Neos\Media\Security\Authorization\Privilege\ReadAssetPrivilege':
'Some.Package:ReadConfidentialPdfs':
matcher: 'hasMediaType("application/pdf") && isTagged("confidential")'
Restrict read access to Asset Collections based on Collection title or id
You can match on the title of an Asset Collection:
privilegeTargets:
'Neos\Media\Security\Authorization\Privilege\ReadAssetCollectionPrivilege':
'Some.Package:ReadSpecialAssetCollection':
matcher: 'isTitled("some-collection")'
Or on its technical identifier (UUID):
privilegeTargets:
'Neos\Media\Security\Authorization\Privilege\ReadAssetCollectionPrivilege':
'Some.Package:ReadSpecialAssetCollection':
matcher: 'hasId("7c1e8cbc-9205-406d-a384-f8e9440531ad")'
Complete Example:
Given you have three “groups” and corresponding roles Some.Package:Group1Editor, Some.Package:Group2Editor and Some.Package:Group3Editor as well as an administrative role ``Some.Package:Administrator`.
Now, if you have three “Asset Collections” named group1, group2 and group3 the following Policy.yaml
would
restrict editors to only see collections and assets corresponding to their role:
privilegeTargets:
'Neos\Media\Security\Authorization\Privilege\ReadAssetPrivilege':
'Some.Package:Group1.ReadAssets':
matcher: 'isInCollection("group1")'
'Some.Package:Group2.ReadAssets':
matcher: 'isInCollection("group2")'
'Some.Package:Group3.ReadAssets':
matcher: 'isInCollection("group3")'
'Neos\Media\Security\Authorization\Privilege\ReadAssetCollectionPrivilege':
'Some.Package:Group1.ReadCollections':
matcher: 'isTitled("group1")'
'Some.Package:Group2.ReadCollections':
matcher: 'isTitled("group2")'
'Some.Package:Group3.ReadCollections':
matcher: 'isTitled("group3")'
roles:
'Your.Package:Administrator':
privileges:
-
privilegeTarget: 'Some.Package:Group1.ReadAssets'
permission: GRANT
-
privilegeTarget: 'Some.Package:Group1.ReadCollections'
permission: GRANT
-
privilegeTarget: 'Some.Package:Group2.ReadAssets'
permission: GRANT
-
privilegeTarget: 'Some.Package:Group2.ReadCollections'
permission: GRANT
-
privilegeTarget: 'Some.Package:Group3.ReadAssets'
permission: GRANT
-
privilegeTarget: 'Some.Package:Group3.ReadCollections'
permission: GRANT
'Your.Package:Group1Editor':
privileges:
-
privilegeTarget: 'Some.Package:Group1.ReadAssets'
permission: GRANT
-
privilegeTarget: 'Some.Package:Group1.ReadCollections'
permission: GRANT
'Your.Package:Group2Editor':
privileges:
-
privilegeTarget: 'Some.Package:Group2.ReadAssets'
permission: GRANT
-
privilegeTarget: 'Some.Package:Group2.ReadCollections'
permission: GRANT
'Your.Package:Group3Editor':
privileges:
-
privilegeTarget: 'Some.Package:Group3.ReadAssets'
permission: GRANT
-
privilegeTarget: 'Some.Package:Group3.ReadCollections'
permission: GRANT