FEATURE: Better multi-site support for media module

[tdausner]

Currently, the Neos Media module offers no easily feasible path for multi-site support.

Asset collection names can hold any characters (up to 255). With an agreement of
specific asset collection titles (see below Working with specific asset collection titles)
in interaction with privilege methods titleStartsWith, titleEndsWith and
titleContains for asset collection titles it is possible to utilize the Neos Media
module for multi-site installations

The privilege methods titleStartsWith, titleEndsWith and titleContains
are available for asset titles and do operate identical on asset collection titles
when copied to the corresponding php source.

Some other Media interface features screw up the separation of assets for different
sites:

• opportunity to select "All" collections
  • here you would see all assets of all sites
• Tags
  • it is hard to manage tags to differentiate assets for separate sites

The Neos Media module offers som feature configurations (see file
Packages/Neos/Neos.Media.Browser/Configuration/Settings.yaml of this PR)
which easily can be extended

Neos:
  Media:
    # ...
    Browser:
      # ...
      features:
        # ...
        
        # Show "all" collections
        showCollectionsAll:
          enable: true
        # Show tags
        showTags:
          enable: true

With these feature entries the Neos Media module can be customized as required for multi-site support:

• set showCollectionsAll.enable to false
• set showTags.enable to false

Review instructions

• start with a fresh NEOS development installation (see https://github.com/neos/neos-development-collection#contributing)
  • tds is my development domain
  • shell command (adapted from https://discuss.neos.io/t/development-setup/504)

$ composer create-project neos/neos-development-distribution neos-dev.tds @dev --keep-vcs

• setup test sites

for s in First Second Third
do
  echo "0" | ./flow kickstart:site $s.Site $s
  ./flow site:import --package-key $s.Site
  ./flow domain:add ${s,,}-site ${s,,}.tds --scheme https
done

Retrieve the node names

$ ./flow site:list

 Name                 Node name                 Resources package               Status
----------------------------------------------------------------------------------------
 First                first-site                First.Site                      online
 Second               second-site               Second.Site                     online
 Third                third-site                Third.Site                      online

• Setup Policy.yaml for all three sites. Example file is
  DistributionPackages/First.Site/Configuration/Policy.yaml

privilegeTargets:
  'Neos\Neos\Security\Authorization\Privilege\NodeTreePrivilege':

    'First.Site:NodeTreePrivilege':
      label: 'Access to First pages'
      matcher: 'isDescendantNodeOf("/sites/first-site")'

  'Neos\Media\Security\Authorization\Privilege\ReadAssetCollectionPrivilege':

    'First.Site:FirstAssetCollection':
      label: 'First site asset collections access'
      matcher: 'titleStartsWith("first")'

  # copy from Packages/Application/Neos.Media.Browser/Configuration/Policy.yaml
  'Neos\Flow\Security\Authorization\Privilege\Method\MethodPrivilege':
    'Neos.Media.Browser:ManageAssetCollections':
      label: Allowed to manage asset collections
      matcher: 'method(Neos\Media\Browser\Controller\(Asset|Image)Controller->(createAssetCollection|editAssetCollection|updateAssetCollection|deleteAssetCollection)Action()) || method(Neos\Media\Browser\Controller\AssetCollectionController->(create|edit|update|delete)Action())'

roles:

  'Neos.Neos:Administrator':
    privileges:
      -
        privilegeTarget: 'First.Site:NodeTreePrivilege'
        permission: GRANT
      -
        privilegeTarget: 'First.Site:FirstAssetCollection'
        permission: GRANT

  'First.Site:FirstEditor':
    label: 'First Editor'
    description: 'Edit and release of First pages'
    parentRoles: ['Neos.Neos:Editor']
    privileges:
      -
        privilegeTarget: 'First.Site:NodeTreePrivilege'
        permission: GRANT

  'First.Site:FirstAssets':
    label: 'First Asset access'
    description: 'Access to First assets'
    privileges:
      -
        privilegeTarget: 'First.Site:FirstAssetCollection'
        permission: GRANT
      -
        privilegeTarget: 'Neos.Media.Browser:ManageAssetCollections'
        permission: grant

Result (if Policy.yaml is set for all three sites)

$ ./flow security:listroles
+-----------------------------------------------+---------------------+
| Id                                            | Label               |
+-----------------------------------------------+---------------------+
| Neos.Neos:LivePublisher                       | Live publisher      |
| Neos.Neos:Administrator                       | Neos Administrator  |
| Neos.Neos:RestrictedEditor                    | Restricted Editor   |
| Neos.Neos:Editor                              | Editor              |
| Neos.Neos:UserManager                         | Neos User Manager   |
| Third.Site:ThirdEditor                        | Third Editor        |
| Third.Site:ThirdAssets                        | Third Asset access  |
| First.Site:FirstEditor                        | First Editor        |
| First.Site:FirstAssets                        | First Asset access  |
| Second.Site:SecondEditor                      | Second Editor       |
| Second.Site:SecondAssets                      | Second Asset access |
| Neos.Setup:SetupUser                          | SetupUser           |
| Flowpack.Neos.FrontendLogin:User              | User                |
| Flowpack.Neos.FrontendLogin:UserAdministrator | UserAdministrator   |
+-----------------------------------------------+---------------------+

• Add site users first, second and third. Passwords are set to user's names:

for s in First Second Third
do
  ./flow user:create --roles ${s}.Site:${s}Editor,${s}.Site:${s}Assets ${s,,} ${s,,} $s User
done

$ ./flow user:list
+---------------+-------+-------------------+-----------------------------------------------------------+--------+
| Name          | Email | Account(s)        | Role(s)                                                   | Active |
+---------------+-------+-------------------+-----------------------------------------------------------+--------+
| First User    |       | first             | First.Site:FirstEditor, First.Site:FirstAssets            | yes    |
| Second User   |       | second            | Second.Site:SecondEditor, Second.Site:SecondAssets        | yes    |
| Third User    |       | third             | Third.Site:ThirdEditor, Third.Site:ThirdAssets            | yes    |
| Administrator |       | [email protected] | Neos.Neos:Administrator                                   | yes    |
+---------------+-------+-------------------+-----------------------------------------------------------+--------+

• Log into NEOS as administrator and add some asset collections

• Add some assets and assign each asset to exactly one of the collections

• Set default asset collection at sites in Site Management

Repeat this step for sites Second and Third.

• The domains of the sites created are

$ flow domain:list
+-------------+---------------------------+--------+
| Node name   | Domain (Scheme/Host/Port) | State  |
+-------------+---------------------------+--------+
| first-site  | https://first.tds         | active |
| third-site  | https://third.tds         | active |
| second-site | https://second.tds        | active |
+-------------+---------------------------+--------+

It is mandatory to utilize these domains to access the Neos backends for operation of the site specific default asset collections.

• Log into Neos backend at https://first.tds/neos as user first (password first) and go to Media

• Log into Neos backend at https://second.tds/neos as user second (password second) and go to Media

Working with specific asset collection titles

To work with specific asset collection titles set the feature parameter collectionTree.separator to
a character used to separate the different parts of the asset collection title (slash / for example)
in file Packages/Neos/Neos.Media.Browser/Configuration/Settings.yaml of this PR.

Neos:
  Media:
    # ...
    Browser:
      # ...
      features:
        # ...
        
        # Show "all" collections
        showCollectionsAll:
          enable: false
        # Show tags
        showTags:
          enable: false
        # collection hierarchical tree view / separation character
        # set to some character to enable (for example '/')
        collectionTree:
          separator: '/'

Log into Neos backend at https://first.tds/neos as user first (password first) and go to Media
and add two asset collections

• first/one
• first/one/two

results in a tree view (each asset collection has an asset assigned):

Clicking the "edit" pencil at the "Collections" shows that the "base" asset collection (first)
cannot be edited or deleted.

Deleting one asset collection...

...moves the assets of the deleted asset collection to the "base" asset collection (first)

Checklist

• Code follows the PSR-2 coding style
• Tests have been created, run and adjusted as needed
• The PR is created against the lowest maintained branch
• Reviewer - PR Title is brief but complete and starts with FEATURE|TASK|BUGFIX
• Reviewer - The first section explains the change briefly for change-logs
• Reviewer - Breaking Changes are marked with !!! and have upgrade-instructions

[crydotsnake]

I will close this since its a duplicate of #4426

[tdausner]

@crydotsnake this PR is for 8.3 branch. #4426 is for 9.0 branch. IMHO there is no automatic backwards deployment?

[crydotsnake]

@crydotsnake this PR is for 8.3 branch. #4426 is for 9.0 branch. IMHO there is no automatic backwards deployment?

FEATURE PRs only go into the 9.0 Branch :)

[tdausner]

@crydotsnake please reopen this PR. How else can this feature get into 8.3?

[crydotsnake]

@crydotsnake please reopen this PR. How else can this feature get into 8.3?

New features only goes in Neos 9.0. And Not 8.3 anymore. Since its planned that Neos 9 will be the next release.

[tdausner]

@crydotsnake IMHO all feature requests go to the supported LTS Version which currently are 7.4 and 8.3. My PR for 9.0 was submitted for upwards compatibility reasons! Again: please reopen.

[crydotsnake]

Hello @tdausner

Thats not Right. Feature PRs ALWAYS go to the next released Version. In this case its 9.0. It has always been like that.

With bugfixes it is different. Here, the last LTS version is always the one that gets bug fixes. Until December, it is still the Neos LTS 7.3. Unless the bug does not affect Neos 7.3 but is, for example, only reproducible in Neos 8.0. Then, of course, the change goes into the 8.0 branch.

But as I said: Feature PRs always go into the version that will be released next. And in this case it is currently the Neos 9 version.

[crydotsnake]

Please correct me in case i'm wrong @Sebobo @mhsdesign

[crydotsnake]

@markusguenther also mentioned it here for example :)

neos/neos-ui#3584 (comment)

[markusguenther]

Dear Thomas Dausner,

First and foremost, thank you for taking the time to create a Feature Pull Request for Neos.Media. We appreciate your contribution and dedication to the project.

We as Neos project try to follow semantic versioning (semver) principles. Semantic versioning consists of three parts: MAJOR.MINOR.PATCH. The rule we adhere to is as follows:

MAJOR version: Incremented when backward-incompatible changes are introduced.
MINOR version: Incremented when backward-compatible new features are added.
PATCH version: Incremented for backward-compatible bug fixes.

Given that the latest published release is version 8.3, it is indeed not possible to include new features in already released versions as per the semver guidelines. However, we're thrilled to inform you that the upcoming release, version 9.0, provides the perfect opportunity to include your proposed feature.

Once version 9.0 is released, your Feature Pull Request will be a valuable addition to the project and will be thoroughly reviewed for inclusion. We genuinely appreciate your understanding and cooperation in adhering to the versioning principles, as it ensures a stable and predictable release process for the entire NeosCMS community.

We encourage you to keep an eye on the release schedule for version 9.0 so that you can test and adapt your changes accordingly before the release date.

Again, we express our gratitude for your contribution, and we are looking forward to seeing your feature in version 9.0 of NeosCMS.

If you have any questions or need any assistance during this process, please feel free to reach out to us. Your involvement is vital to the continuous improvement of NeosCMS.

Thank you and best regards,

Markus

[tdausner]

@crydotsnake @markusguenther thanks a lot for the enlightening discussion. I must apologize for my persistence but this is my first feature PR. Next time now i'm very informed :-)