FEATURE: Better multi-site support for media module

[tdausner]

Currently, the Neos Media module offers no easily feasible path for multi-site support.

Asset collection names can hold any characters (up to 255). With an agreement of
specific asset collection titles (see below Working with specific asset collection titles)
in interaction with privilege methods titleStartsWith, titleEndsWith and
titleContains for asset collection titles it is possible to utilize the Neos Media
module for multi-site installations

The privilege methods titleStartsWith, titleEndsWith and titleContains
are available for asset titles and do operate identical on asset collection titles
when copied to the corresponding php source.

Some other Media interface features screw up the separation of assets for different
sites:

• opportunity to select "All" collections
  • here you would see all assets of all sites
• Tags
  • it is hard to manage tags to differentiate assets for separate sites

The Neos Media module offers som feature configurations (see file
Packages/Neos/Neos.Media.Browser/Configuration/Settings.yaml of this PR)
which easily can be extended

Neos:
  Media:
    # ...
    Browser:
      # ...
      features:
        # ...
        
        # Show "all" collections
        showCollectionsAll:
          enable: true
        # Show tags
        showTags:
          enable: true

With these feature entries the Neos Media module can be customized as required for multi-site support:

• set showCollectionsAll.enable to false
• set showTags.enable to false

Review instructions

• start with a fresh NEOS development installation (see https://github.com/neos/neos-development-collection#contributing)
  • tds is my development domain
  • shell command (adapted from https://discuss.neos.io/t/development-setup/504)

$ composer create-project neos/neos-development-distribution neos-dev.tds @dev --keep-vcs

• setup test sites

for s in First Second Third
do
  echo "0" | ./flow kickstart:site $s.Site $s
  ./flow site:import --package-key $s.Site
  ./flow domain:add ${s,,}-site ${s,,}.tds --scheme https
done

Retrieve the node names

$ ./flow site:list

 Name                 Node name                 Resources package               Status
----------------------------------------------------------------------------------------
 First                first-site                First.Site                      online
 Second               second-site               Second.Site                     online
 Third                third-site                Third.Site                      online

• Setup Policy.yaml for all three sites. Example file is
  DistributionPackages/First.Site/Configuration/Policy.yaml

privilegeTargets:
  'Neos\Neos\Security\Authorization\Privilege\NodeTreePrivilege':

    'First.Site:NodeTreePrivilege':
      label: 'Access to First pages'
      matcher: 'isDescendantNodeOf("/sites/first-site")'

  'Neos\Media\Security\Authorization\Privilege\ReadAssetCollectionPrivilege':

    'First.Site:FirstAssetCollection':
      label: 'First site asset collections access'
      matcher: 'titleStartsWith("first")'

  # copy from Packages/Application/Neos.Media.Browser/Configuration/Policy.yaml
  'Neos\Flow\Security\Authorization\Privilege\Method\MethodPrivilege':
    'Neos.Media.Browser:ManageAssetCollections':
      label: Allowed to manage asset collections
      matcher: 'method(Neos\Media\Browser\Controller\(Asset|Image)Controller->(createAssetCollection|editAssetCollection|updateAssetCollection|deleteAssetCollection)Action()) || method(Neos\Media\Browser\Controller\AssetCollectionController->(create|edit|update|delete)Action())'

roles:

  'Neos.Neos:Administrator':
    privileges:
      -
        privilegeTarget: 'First.Site:NodeTreePrivilege'
        permission: GRANT
      -
        privilegeTarget: 'First.Site:FirstAssetCollection'
        permission: GRANT

  'First.Site:FirstEditor':
    label: 'First Editor'
    description: 'Edit and release of First pages'
    parentRoles: ['Neos.Neos:Editor']
    privileges:
      -
        privilegeTarget: 'First.Site:NodeTreePrivilege'
        permission: GRANT

  'First.Site:FirstAssets':
    label: 'First Asset access'
    description: 'Access to First assets'
    privileges:
      -
        privilegeTarget: 'First.Site:FirstAssetCollection'
        permission: GRANT
      -
        privilegeTarget: 'Neos.Media.Browser:ManageAssetCollections'
        permission: grant

Result (if Policy.yaml is set for all three sites)

$ ./flow security:listroles
+-----------------------------------------------+---------------------+
| Id                                            | Label               |
+-----------------------------------------------+---------------------+
| Neos.Neos:LivePublisher                       | Live publisher      |
| Neos.Neos:Administrator                       | Neos Administrator  |
| Neos.Neos:RestrictedEditor                    | Restricted Editor   |
| Neos.Neos:Editor                              | Editor              |
| Neos.Neos:UserManager                         | Neos User Manager   |
| Third.Site:ThirdEditor                        | Third Editor        |
| Third.Site:ThirdAssets                        | Third Asset access  |
| First.Site:FirstEditor                        | First Editor        |
| First.Site:FirstAssets                        | First Asset access  |
| Second.Site:SecondEditor                      | Second Editor       |
| Second.Site:SecondAssets                      | Second Asset access |
| Neos.Setup:SetupUser                          | SetupUser           |
| Flowpack.Neos.FrontendLogin:User              | User                |
| Flowpack.Neos.FrontendLogin:UserAdministrator | UserAdministrator   |
+-----------------------------------------------+---------------------+

• Add site users first, second and third. Passwords are set to user's names:

for s in First Second Third
do
  ./flow user:create --roles ${s}.Site:${s}Editor,${s}.Site:${s}Assets ${s,,} ${s,,} $s User
done

$ ./flow user:list
+---------------+-------+-------------------+-----------------------------------------------------------+--------+
| Name          | Email | Account(s)        | Role(s)                                                   | Active |
+---------------+-------+-------------------+-----------------------------------------------------------+--------+
| First User    |       | first             | First.Site:FirstEditor, First.Site:FirstAssets            | yes    |
| Second User   |       | second            | Second.Site:SecondEditor, Second.Site:SecondAssets        | yes    |
| Third User    |       | third             | Third.Site:ThirdEditor, Third.Site:ThirdAssets            | yes    |
| Administrator |       | [email protected] | Neos.Neos:Administrator                                   | yes    |
+---------------+-------+-------------------+-----------------------------------------------------------+--------+

• Log into NEOS as administrator and add some asset collections

• Add some assets and assign each asset to exactly one of the collections

• Set default asset collection at sites in Site Management

Repeat this step for sites Second and Third.

• The domains of the sites created are

$ flow domain:list
+-------------+---------------------------+--------+
| Node name   | Domain (Scheme/Host/Port) | State  |
+-------------+---------------------------+--------+
| first-site  | https://first.tds         | active |
| third-site  | https://third.tds         | active |
| second-site | https://second.tds        | active |
+-------------+---------------------------+--------+

It is mandatory to utilize these domains to access the Neos backends for operation of the site specific default asset collections.

• Log into Neos backend at https://first.tds/neos as user first (password first) and go to Media

• Log into Neos backend at https://second.tds/neos as user second (password second) and go to Media

Working with specific asset collection titles

To work with specific asset collection titles set the feature parameter collectionTree.separator to
a character used to separate the different parts of the asset collection title (slash / for example)
in file Packages/Neos/Neos.Media.Browser/Configuration/Settings.yaml of this PR.

Neos:
  Media:
    # ...
    Browser:
      # ...
      features:
        # ...
        
        # Show "all" collections
        showCollectionsAll:
          enable: false
        # Show tags
        showTags:
          enable: false
        # collection hierarchical tree view / separation character
        # set to some character to enable (for example '/')
        collectionTree:
          separator: '/'

Log into Neos backend at https://first.tds/neos as user first (password first) and go to Media
and add two asset collections

• first/one
• first/one/two

results in a tree view (each asset collection has an asset assigned):

Clicking the "edit" pencil at the "Collections" shows that the "base" asset collection (first)
cannot be edited or deleted.

Deleting one asset collection...

...moves the assets of the deleted asset collection to the "base" asset collection (first)

Checklist

• Code follows the PSR-2 coding style
• Tests have been created, run and adjusted as needed
• The PR is created against the lowest maintained branch
• Reviewer - PR Title is brief but complete and starts with FEATURE|TASK|BUGFIX
• Reviewer - The first section explains the change briefly for change-logs
• Reviewer - Breaking Changes are marked with !!! and have upgrade-instructions