Merge branch 'master' of git://github.com/mkuiphuis/flow-aws-s3 into …

…mkuiphuis-master

Classes/S3Target.php

@@ -24,6 +24,13 @@
  */
 class S3Target implements TargetInterface
 {
+    /**
+     * The ACL when uploading a file
+     * @Flow\InjectConfiguration(package="Flownative.Aws.S3", path="profiles.default.acl")
+     * @var string
+     */
+    protected $acl;
+
     /**
      * Name which identifies this resource target
      *
@@ -143,6 +150,9 @@ public function __construct($name, array $options = array())
                 case 'accessPolicyEnabled':
                     $this->accessPolicyEnabled = (bool)$value;
                     break;
+                case 'acl':
+                    $this->acl = (string)$value;
+                    break;
                 default:
                     if ($value !== null) {
                         throw new Exception(sprintf('An unknown option "%s" was specified in the configuration of the "%s" resource S3Target. Please check your settings.', $key, $name), 1428928226);
@@ -230,15 +240,13 @@ public function publishCollection(CollectionInterface $collection, callable $cal
                     $potentiallyObsoleteObjects[$objectName] = false;
                 } else {
                     $options = [
+                        'ACL' => $this->acl,
                         'Bucket' => $this->bucketName,
                         'CopySource' => urlencode($storageBucketName . '/' . $storage->getKeyPrefix() . $object->getSha1()),
                         'ContentType' => $object->getMediaType(),
                         'MetadataDirective' => 'REPLACE',
                         'Key' => $objectName
                     ];
-                    if ($this->accessPolicyEnabled !== false) {
-                        $options['ACL'] = 'public-read';
-                    }
                     try {
                         $this->s3Client->copyObject($options);
                         $this->systemLogger->debug(sprintf('Successfully copied resource as object "%s" (SHA1: %s) from bucket "%s" to bucket "%s"', $objectName, $object->getSha1() ?: 'unknown', $storageBucketName, $this->bucketName));
@@ -309,15 +317,13 @@ public function publishResource(PersistentResource $resource, CollectionInterfac
                 $sourceObjectArn = $storage->getBucketName() . '/' . $storage->getKeyPrefix() . $resource->getSha1();
                 $objectName = $this->keyPrefix . $this->getRelativePublicationPathAndFilename($resource);
                 $options = [
+                    'ACL' => $this->acl,
                     'Bucket' => $this->bucketName,
                     'CopySource' => urlencode($sourceObjectArn),
                     'ContentType'=> $resource->getMediaType(),
                     'MetadataDirective' => 'REPLACE',
                     'Key' => $objectName
                 ];
-                if ($this->accessPolicyEnabled !== false) {
-                    $options['ACL'] = 'public-read';
-                }
                 $this->s3Client->copyObject($options);
                 $this->systemLogger->debug(sprintf('Successfully published resource as object "%s" (SHA1: %s) by copying from bucket "%s" to bucket "%s"', $objectName, $resource->getSha1() ?: 'unknown', $storage->getBucketName(), $this->bucketName));
             } catch (S3Exception $e) {

Configuration/Settings.yaml

@@ -6,6 +6,10 @@ Flownative:
         # For more documentation regarding options, see http://docs.aws.amazon.com/aws-sdk-php/v2/guide/configuration.html#client-configuration-options
         default:
 
+          # Access Control List. Override in your own Settings.yaml with '' to not provide public read access to an object in S3
+          # To access these objects use SignedCookie or SignedURL method in combination with AWS CloudFront
+          acl: 'public-read'
+
           # Select the API version to use
           version: '2006-03-01'
 

README.md

@@ -365,8 +365,10 @@ Neos:
 
 ## Disable public-read ACL
 
-The canned ACL "public-read" is not useful in some cases, e.g. when using CloudFront with conflicting restrictive policies. 
-With this option the ACL setting for the target can be disabled/removed.
+The ACL for a target defaults to the setting "Flownative.Aws.S3.profiles.default.acl" but can be overwritten via targetOption "acl".
+
+So in case you want a different ACL than "public-read", e.g. when using CloudFront with conflicting restrictive policies. 
+You can either just set the above configuration setting or adjust your specific target configuration:
 
 ```yaml
 Neos:
@@ -376,5 +378,5 @@ Neos:
         s3PersistentResourcesTarget:
           target: 'Flownative\Aws\S3\S3Target'
           targetOptions:
-            accessPolicyEnabled: false
+            acl: ''
 ```