Contributor user id not able to view Related asset under a DAM asset

subramanya75

23-01-2019

We have created a relationship between some assets using RELATE functionality of AEM. Content authors are able to view the related-assets under the assets. Related assets are visible under Basic TAB of properties of any DAM asset.

The issue is user belonging to the group: "content-authors" are able to view the related assets under any asset. Where as user group :  "Contributor" are not able to view the related assets on the Basic-TAB of asset-properties.

How to resolve this issue , so that even "Contributor" users must be able to view the "related assets" . Issue is contributor users are able to access all assets but unable to view the relationship provided by Relate functionality.

Accepted Solutions (1)

Accepted Solutions (1)

subramanya75

28-01-2019

We Found the fix to this issue.

The culprit is below piece of code in /libs/dam/gui/components/admin/relation/relation.jsp,

This piece of code is allowing only the user having modify rights to view the relationship.

ModifiableValueMap props = relation.getProperties();

We need to overlay /libs/dam/gui/components/admin/relation/relation.jsp  into apps ( /apps/dam/gui/components/admin/relation/relation.jsp ).

Then modify the source code of  /apps/dam/gui/components/admin/relation/relation.jsp as per below:

<%@include file="/libs/granite/ui/global.jsp" %>

<%@page session="false"

        import="com.day.cq.i18n.I18n,

                                               org.apache.jackrabbit.util.Text,

                org.apache.sling.api.resource.Resource,

                org.apache.sling.api.resource.ResourceUtil,

                                                                org.apache.sling.api.resource.ModifiableValueMap,

                com.adobe.granite.ui.components.Config,              

                com.adobe.granite.xss.XSSAPI,

                com.day.cq.dam.api.Rendition,

                com.adobe.granite.asset.api.Asset,

                                                                com.adobe.granite.asset.api.AssetRelation,

                                                                com.adobe.granite.ui.components.AttrBuilder,

                                                                com.day.cq.dam.commons.util.UIHelper,

                java.util.Iterator" %><%

%><%

%>

<%

Config cfg = new Config(resource);

String assetDetailsUrl = request.getContextPath() + "/assetdetails.html";

String[] content = (String[])request.getAttribute("aem.assets.ui.properties.content");

if (null != content && content.length > 1) {

                // Return if more that one content. ince it is bulk editor

                return;

}

String contentPath = (String)request.getAttribute("granite.ui.form.contentpath");

if (null == contentPath) {

                contentPath = slingRequest.getRequestPathInfo().getSuffix();

                if (null == contentPath) {

                                // Return if cannot find content path

                                return;

                }

}

Resource res = slingRequest.getResourceResolver().getResource(contentPath);

Asset asset = (res != null ? res.adaptTo(Asset.class) : null);

AttrBuilder attrs = new AttrBuilder(request, xssAPI);

attrs.addClass(cfg.get("class", String.class));

AttrBuilder head_attrs = new AttrBuilder(request, xssAPI);

head_attrs.addClass(cfg.get("head_class", String.class));

AttrBuilder ref_attrs = new AttrBuilder(request, xssAPI);

ref_attrs.addClass(cfg.get("data_class", String.class));

String fieldLabel = cfg.get("fieldLabel", String.class);

String relationLabel = cfg.get("relationLabel", String.class);

attrs.addOthers(cfg.getProperties(), "id", "class", "rel", "title", "name", "value");

if(asset!= null) {

    try {

        Iterator<? extends Asset> itr  = asset.listRelated(relationLabel);

        if(itr.hasNext()) {%>

                                    <div style="margin-top:10px" <%= attrs.build() %>>

            <div <%= head_attrs.build() %>> <%

            if (fieldLabel != null) {

                %><label class="coral-Form-fieldlabel"><%= outVar(xssAPI, i18n, fieldLabel) %></label><%

            }

            %> </div><%

               for(int i = 0;itr.hasNext();i++) {

                Asset relation = itr.next();

                //ModifiableValueMap props = relation.getProperties();

                String resPath = relation.getPath();

                if (resPath != null) {

                    /*String resPath = "";

                    if(props.get("sling:resource") != null) {

                        resPath = props.get("sling:resource").toString();

                    } else if(props.get("dam:resolvedPath") != null) {

                        resPath = props.get("dam:resolvedPath").toString();

                        }*/

                    Resource linkedRes = slingRequest.getResourceResolver().getResource(resPath);

                    if(linkedRes != null ) {

                        String title = UIHelper.getTitle(linkedRes);

                        String assetUrl = assetDetailsUrl + Text.escapePath(linkedRes.getPath());

                        String relatedAssetPath = relation.getPath();

                        %>

                        <div <%= ref_attrs.build() %>>

                            <a title="<%= xssAPI.encodeForHTMLAttr(resPath) %>" is="coral-anchorbutton" variant="quiet" icon="link" iconsize="XS" href="<%= xssAPI.getValidHref(assetUrl) %>"  data-asset-path="<%= xssAPI.encodeForHTMLAttr(relatedAssetPath) %>" data-relation="<%= xssAPI.encodeForHTMLAttr(relationLabel) %>"> <%= xssAPI.encodeForHTML(title) %></a>

                            </div>

                        <%

                    }

                }

            }

            %></div><%

        }

    }

    catch(Exception e) {

        ;

    }

}

%>

Answers (6)

Answers (6)

subramanya75

25-01-2019

Hi,

I checked providing jcr:write permission to contributor user group. But this provides modify metadata of the asset to the user.

This is not acceptable as per the business use case. User should have read only access and should not be able to modify the assets / asset meatadata.

As I have already informed by sending below GET request with out providing the jcr:write  to contributor I am  able to get the required response:

See below request and response for asset: /content/dam/we-retail1/en/activities/biking/cycling_5.jpg)

Request:

-http://localhost:4502/libs/dam/gui/content/assets/bulkrelateasset.manageReferences.html?item=/conten...

Response from AEM:

{"/content/dam/we-retail1/en/activities/biking/cycling_5.jpg": {"name": "cycling_5.jpg","sources": {"/content/dam/we-retail/en/activities/running/running_4.jpg": {"name": "running_4.jpg"}},"derived": {},"others": {}}}

Only on the asset UI this is not working.

http://localhost:4502/libs/dam/gui/content/assets/bulkrelateasset.manageReferences.html?item=/conten...

Gaurav-Behl

MVP

24-01-2019

This is the permission on dam-users that allows to view source/target of 'related assets'

1675863_pastedImage_0.png

At the bare minimum, assign rep:write to 'contributors' group, that should fix the issue

1675449_pastedImage_2.png

subramanya75

24-01-2019

Hi all,

There are some more findings for this issue.

I logged into AEM author using contributor user id.

I accessed an Asset and this asset is related to another asset.

Contributor user is not able to view the relationship.

But when I put this request to verify the relationship, AEM provides realtionship

http://localhost:4502/libs/dam/gui/content/assets/bulkrelateasset.manageReferences.html?item=/conten...

code

{"/content/dam/we-retail1/en/activities/biking/cycling_5.jpg": {"name": "cycling_5.jpg","sources": {"/content/dam/we-retail/en/activities/running/running_4.jpg": {"name": "running_4.jpg"}},"derived": {},"others": {}}}

subramanya75

23-01-2019

Hi,

Adding user to dam-users will not serve the business purpose. The group "dam-users" have modify access to assets.

Business use case does not allow the users modify the asset, hence we are using "contributor" user group.

Is there any work-around or configuration fix to make "contributor" group to view the Relationship(view the assets connected by Relate).

Thanks,

Subramanya