Modification of Policy.yaml, no images in frontend

Using Neos & Flow Frontend & Integration
1

Hello Community!,

Info:

  • Neos 8.3.3

i’m currently having a strange issue, that images are not rendered anymore after i’ve did some more media restrictions within my Policy.yaml. Basically i wanted to lock other users to work inside their specific Collection only.

I’ve started to develop a project without, by having all images inside “All”. Used that assets in my content elements and never faced any issue in frontend.

Now i’ve created a Collection, moved all the pictures from that project inside and did the following in my Policy.yaml:

[...]
privilegeTargets:

  'Neos\Flow\Security\Authorization\Privilege\Entity\Doctrine\EntityPrivilege':
 
    'Vendor.Project:Site.Vendor':
      matcher: 'isType("Neos\Neos\Domain\Model\Site") && property("nodeName") == "vendor-project"'   

[...]
  'Neos\Media\Security\Authorization\Privilege\ReadAssetPrivilege':
  
    'Vendor.Project:HideAllOtherCollections':
      matcher: 'isWithoutCollection()'
  
    'Vendor.Project:ReadAllPDFs':
      matcher: 'hasMediaType("application/pdf")'
      
    'Vendor.Project:ReadAllPngs':
      matcher: 'hasMediaType("image/png")'

    'Vendor.Project:ReadAllJpgs':
      matcher: 'hasMediaType("image/jpeg")'

    'Vendor.Project:ReadAllGifs':
      matcher: 'hasMediaType("image/gif")'
"
    'Vendor.Project:P03.ReadAllFiles':
      matcher: 'isInCollection("MyCollection")'
[...]

  'Neos\Media\Security\Authorization\Privilege\ReadAssetCollectionPrivilege':
  
    'Vendor.Project:P03.ReadAssetCollection':
      matcher: 'hasId("47fd792d-b43b-4d0a-8573-6ddae018a85c")'

[...]
  'Neos.Neos:P03':
    privileges:

      - # Grant "backend users" to access the "Member area"
        privilegeTarget: 'Vendor.Project:Site.Vendor'
        permission: GRANT    

      - # Is giving access to read specific asset collection
        privilegeTarget: 'Vendor.Project:P03.ReadAssetCollection'
        permission: GRANT
        
      - # Is giving acces to read specific asset collection
        privilegeTarget: 'Vendor.Project:P03.ReadAllFiles'
        permission: GRANT
        
      - # Is giving access to read all png files
        privilegeTarget: 'Vendor.Project:ReadAllPngs'
        permission: GRANT

      - # Negate default deny, and gives access to jpg/jpeg files
        privilegeTarget: 'Vendor.Project:ReadAllJpgs'
        permission: GRANT
        
      - # Negate default deny, and gives access to pdf files
        privilegeTarget: 'Vendor.Project:ReadAllPDFs'
        permission: GRANT
[...]

But now my images in frontend are empty:

<img src="" srcset=" 1920w,  1680w,  1366w,  1024w,  960w,  768w,  614w,  380w,  280w" alt="" aria-label="" loading="lazy" class="wb-aspect-ratio__target">

In the backend i can see them and when i’m moving out from backend to show the preview, they are also loaded without any issues:

image

Was the change in Policy.yaml causing that? If yes, how can i prevent that my frontend is affected with that? Or was there any other mistake i’ve did?

/e: Deleting the Neos_Session cookie will prevent the image from loading
/e: Giving the same permissions as Neos.Neos:P03 to Neos.Flow:Anonymous is loading the images.

Thanks! :slight_smile:

2

The anonymous user is the normal frontend user, there they have to be able to view every asset that can be published.

Editors should too, so they can edit and view the website without getting errors :wink:

Can you not implement your requirements with edit privileges and allow people to view all collections?

Btw. I included hierarchical collections in the latest Media.UI betas and a feature flag to enforce assets to only be assigned to one collection to simulate a “folder system”.

3

Hey @sebobo!

I’m having different Projects (Site Packages) in that one neos instance where i want them to view only their Collection, as they also only see their Project to edit content. So all the media needs to be seen only by the people working in their specific project.

Also they suddenly could delete/replace the media from other projects which is something i want to prevent :smiley:

At first, everything was working fine until i noticed that i need to be logged in to see the media in frontend.

As far as i understood: My approach is only possible to handle, when i’m adding all the rights to the anonymous frontend user as well, right? Doesn’t creates this an overload to neos when it is setting a cookie for the all the frontend users visiting the site?

4

The anonymous user is only a pseudo user not creating any cookies etc.

5

Ah okay, good to know :smiley:

So this is coming from somewhere else.

But how would you handle the seperation? So far my only workaround (if it is a workaround) is giving that mentioned anonymous user the access to the collections/mediatypes.