PHPackages wwwision/assetconstraints - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. wwwision/assetconstraints AbandonedArchivedNeos-package[Authentication & Authorization](/categories/authentication) wwwision/assetconstraints ========================= Simple package to constraint access to Neos.Media assets based on tags, content type or asset collection v0.5.0(8y ago)634931GPL-3.0+PHP Since Aug 9Pushed 6y ago1 watchersCompare [ Source](https://github.com/bwaidelich/Wwwision.AssetConstraints)[ Packagist](https://packagist.org/packages/wwwision/assetconstraints)[ RSS](/packages/wwwision-assetconstraints/feed)WikiDiscussions master Synced 3d ago READMEChangelog (2)Dependencies (1)Versions (3)Used By (1) Wwwision.AssetConstraints ========================= [](#wwwisionassetconstraints) Simple package to constraint access to Neos.Media assets based on tags, content type or asset collection **NOTE:** The functionality of this package has been [ported](https://github.com/neos/neos-development-collection/pull/1723) to the Neos Core with version 3.3 in the meantime Usage ----- [](#usage) 1. Drop package into your (Neos) installation 2. Add policies to your main package `Policy.yaml` 3. Adjust `Settings` and `NodeTypes` configuration to your needs Features -------- [](#features) ### New Asset privileges: [](#new-asset-privileges) This package comes with Entity Privileges allowing to restrict reading of `Assets` based on several attributes: #### Restrict read access to `Assets` based on their *media type* [](#restrict-read-access-to-assets-based-on-their-media-type) *Policy.yaml:* ``` privilegeTargets: 'Wwwision\AssetConstraints\Security\Authorization\Privilege\ReadAssetPrivilege': 'Some.Package:ReadAllPDFs': matcher: 'hasMediaType("application/pdf")' ``` #### Restrict read access to `Assets` based on *Tag* [](#restrict-read-access-to-assets-based-on-tag) *Policy.yaml:* ``` privilegeTargets: 'Wwwision\AssetConstraints\Security\Authorization\Privilege\ReadAssetPrivilege': 'Some.Package:ReadConfidentialAssets': matcher: 'isTagged("confidential")' ``` #### Restrict read access to `Assets` based on *Asset Collection* [](#restrict-read-access-to-assets-based-on-asset-collection) *Policy.yaml:* ``` privilegeTargets: 'Wwwision\AssetConstraints\Security\Authorization\Privilege\ReadAssetPrivilege': 'Some.Package:ReadSpecialAssets': matcher: 'isInCollection("some-collection")' ``` Of course you can combine the three matchers like: ``` privilegeTargets: 'Wwwision\AssetConstraints\Security\Authorization\Privilege\ReadAssetPrivilege': 'Some.Package:ReadConfidentialPdfs': matcher: 'hasMediaType("application/pdf") && isTagged("confidential")' ``` #### Restrict read access to `Tags` based on *Tag label* [](#restrict-read-access-to-tags-based-on-tag-label) *Policy.yaml:* ``` privilegeTargets: 'Wwwision\AssetConstraints\Security\Authorization\Privilege\ReadTagPrivilege': 'Some.Package:ReadConfidentialTags': matcher: 'isLabeled("confidential")' ``` #### Restrict read access to `Asset Collections` based on *Collection title* [](#restrict-read-access-to-asset-collections-based-on-collection-title) *Policy.yaml:* ``` privilegeTargets: 'Wwwision\AssetConstraints\Security\Authorization\Privilege\ReadAssetCollectionPrivilege': 'Some.Package:ReadSpecialAssetCollection': matcher: 'isTitled("some-collection")' ``` ### Custom Editors to set Asset Collection based on node properties: [](#custom-editors-to-set-asset-collection-based-on-node-properties) When uploading new `Assets` using the Neos inspector, they will be added to the current site's default `Asset Collection`if one is configured in the *Sites Management module*. Unfortunately this mechanism is not (yet) flexible enough to set the collection based on other characteristics (the currently selected node for example). This package therefore adds two specialized Inspector editors for Asset/Image uploads that send the current node along with the upload-data to the server. Besides it hooks into the asset creation process (via AOP) to add the uploaded `Asset` to an `Asset Collection` based on the current node. The default behavior is to grab the closest document node, evaluate it's "assetCollection" and adds the Asset to that collection if it succeeded. This package also comes with a `DataSource` to allow for selecting the `AssetCollection`. #### Adding "assetCollection" property to all Document nodes: [](#adding-assetcollection-property-to-all-document-nodes) *NodeTypes.yaml:* ``` 'Neos.Neos:Document': ui: inspector: groups: 'assets': label: 'Assets' properties: 'assetCollection': ui: label: 'Asset Collection' inspector: group: 'assets' editor: 'Content/Inspector/Editors/SelectBoxEditor' editorOptions: dataSourceIdentifier: 'wwwision-assetconstraints-assetcollections' allowEmpty: true placeholder: 'Asset Collection for uploads' ``` **NOTE:** Usually you *don't* want to add a property to *all* Document nodes (including shortcuts, ...) but to a more specific node type such as `Your.Package:Page`. #### Adjusting the behavior of the AOP aspect: [](#adjusting-the-behavior-of-the-aop-aspect) As mentioned above, the default behavior of the AOP aspect is to check for a property called "assetCollection" in the closest `Neos.Neos:Document` node of the node the asset was uploaded to. This can be adjusted via Settings. Imagine you have a custom node type `Your.Package:MainPage` that contains the target assetCollection in a property "collection": *Settings.yaml:* ``` Wwwision: AssetConstraints: nodeLookup: nodeFilter: '[instanceof Your.Package:MainPage]' propertyName: 'collection' ``` Example Policy -------------- [](#example-policy) Given you have three "groups" and corresponding roles `Some.Package:Group1Editor`, `Some.Package:Group2Editor` and `Some.Package:Group3Editor` as well as an administrative role ``Some.Package:Administrator`. Now, if you have three "Asset Collections" named `group1`, `group2` and `group3` the following `Policy.yaml` would restrict editors to only see collections and assets corresponding to their role: ``` privilegeTargets: 'Wwwision\AssetConstraints\Security\Authorization\Privilege\ReadAssetPrivilege': 'Some.Package:Group1.ReadAssets': matcher: 'isInCollection("group1")' 'Some.Package:Group2.ReadAssets': matcher: 'isInCollection("group2")' 'Some.Package:Group3.ReadAssets': matcher: 'isInCollection("group3")' 'Wwwision\AssetConstraints\Security\Authorization\Privilege\ReadAssetCollectionPrivilege': 'Some.Package:Group1.ReadCollections': matcher: 'isTitled("group1")' 'Some.Package:Group2.ReadCollections': matcher: 'isTitled("group2")' 'Some.Package:Group3.ReadCollections': matcher: 'isTitled("group3")' roles: 'Your.Package:Administrator': privileges: - privilegeTarget: 'Some.Package:Group1.ReadAssets' permission: GRANT - privilegeTarget: 'Some.Package:Group1.ReadCollections' permission: GRANT - privilegeTarget: 'Some.Package:Group2.ReadAssets' permission: GRANT - privilegeTarget: 'Some.Package:Group2.ReadCollections' permission: GRANT - privilegeTarget: 'Some.Package:Group3.ReadAssets' permission: GRANT - privilegeTarget: 'Some.Package:Group3.ReadCollections' permission: GRANT 'Your.Package:Group1Editor': privileges: - privilegeTarget: 'Some.Package:Group1.ReadAssets' permission: GRANT - privilegeTarget: 'Some.Package:Group1.ReadCollections' permission: GRANT 'Your.Package:Group2Editor': privileges: - privilegeTarget: 'Some.Package:Group2.ReadAssets' permission: GRANT - privilegeTarget: 'Some.Package:Group2.ReadCollections' permission: GRANT 'Your.Package:Group3Editor': privileges: - privilegeTarget: 'Some.Package:Group3.ReadAssets' permission: GRANT - privilegeTarget: 'Some.Package:Group3.ReadCollections' permission: GRANT ``` Credits ------- [](#credits) The development of this package was kindly sponsored by Web Essentials! ### Health Score 29 — LowBetter than 59% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity19 Limited adoption so far Community15 Small or concentrated contributor base Maturity54 Maturing project, gaining track record Bus Factor2 2 contributors hold 50%+ of commits How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~68 days Total 2 Last Release 3132d ago ### Community Maintainers ![](https://avatars.githubusercontent.com/u/307571?v=4)[Bastian Waidelich](/maintainers/bwaidelich)[@bwaidelich](https://github.com/bwaidelich) --- Top Contributors [![aertmann](https://avatars.githubusercontent.com/u/903567?v=4)](https://github.com/aertmann "aertmann (2 commits)")[![kdambekalns](https://avatars.githubusercontent.com/u/95873?v=4)](https://github.com/kdambekalns "kdambekalns (2 commits)")[![bwaidelich](https://avatars.githubusercontent.com/u/307571?v=4)](https://github.com/bwaidelich "bwaidelich (1 commits)") ### Embed Badge ![Health badge](/badges/wwwision-assetconstraints/health.svg) ``` [![Health](https://phpackages.com/badges/wwwision-assetconstraints/health.svg)](https://phpackages.com/packages/wwwision-assetconstraints) ``` ### Alternatives [namshi/jose JSON Object Signing and Encryption library for PHP. 1.8k99.6M101](/packages/namshi-jose)[league/oauth1-client OAuth 1.0 Client Library 99698.8M106](/packages/league-oauth1-client)[bezhansalleh/filament-shield Filament support for `spatie/laravel-permission`. 2.8k2.9M88](/packages/bezhansalleh-filament-shield)[gesdinet/jwt-refresh-token-bundle Implements a refresh token system over Json Web Tokens in Symfony 70516.4M35](/packages/gesdinet-jwt-refresh-token-bundle)[league/oauth2-google Google OAuth 2.0 Client Provider for The PHP League OAuth2-Client 41721.2M118](/packages/league-oauth2-google)[illuminate/auth The Illuminate Auth package. 9327.3M1.0k](/packages/illuminate-auth) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)