diff --git a/Classes/S3Target.php b/Classes/S3Target.php index eec1fd4..afb519d 100644 --- a/Classes/S3Target.php +++ b/Classes/S3Target.php @@ -24,6 +24,13 @@ */ class S3Target implements TargetInterface { + /** + * The ACL when uploading a file + * @Flow\InjectConfiguration(package="Flownative.Aws.S3", path="profiles.default.acl") + * @var string + */ + protected $acl; + /** * Name which identifies this resource target * @@ -143,6 +150,9 @@ public function __construct($name, array $options = array()) case 'accessPolicyEnabled': $this->accessPolicyEnabled = (bool)$value; break; + case 'acl': + $this->acl = (string)$value; + break; default: if ($value !== null) { throw new Exception(sprintf('An unknown option "%s" was specified in the configuration of the "%s" resource S3Target. Please check your settings.', $key, $name), 1428928226); @@ -230,15 +240,13 @@ public function publishCollection(CollectionInterface $collection, callable $cal $potentiallyObsoleteObjects[$objectName] = false; } else { $options = [ + 'ACL' => $this->acl, 'Bucket' => $this->bucketName, 'CopySource' => urlencode($storageBucketName . '/' . $storage->getKeyPrefix() . $object->getSha1()), 'ContentType' => $object->getMediaType(), 'MetadataDirective' => 'REPLACE', 'Key' => $objectName ]; - if ($this->accessPolicyEnabled !== false) { - $options['ACL'] = 'public-read'; - } try { $this->s3Client->copyObject($options); $this->systemLogger->debug(sprintf('Successfully copied resource as object "%s" (SHA1: %s) from bucket "%s" to bucket "%s"', $objectName, $object->getSha1() ?: 'unknown', $storageBucketName, $this->bucketName)); @@ -309,15 +317,13 @@ public function publishResource(PersistentResource $resource, CollectionInterfac $sourceObjectArn = $storage->getBucketName() . '/' . $storage->getKeyPrefix() . $resource->getSha1(); $objectName = $this->keyPrefix . $this->getRelativePublicationPathAndFilename($resource); $options = [ + 'ACL' => $this->acl, 'Bucket' => $this->bucketName, 'CopySource' => urlencode($sourceObjectArn), 'ContentType'=> $resource->getMediaType(), 'MetadataDirective' => 'REPLACE', 'Key' => $objectName ]; - if ($this->accessPolicyEnabled !== false) { - $options['ACL'] = 'public-read'; - } $this->s3Client->copyObject($options); $this->systemLogger->debug(sprintf('Successfully published resource as object "%s" (SHA1: %s) by copying from bucket "%s" to bucket "%s"', $objectName, $resource->getSha1() ?: 'unknown', $storage->getBucketName(), $this->bucketName)); } catch (S3Exception $e) { diff --git a/Configuration/Settings.yaml b/Configuration/Settings.yaml index a991070..716f8c9 100644 --- a/Configuration/Settings.yaml +++ b/Configuration/Settings.yaml @@ -6,6 +6,10 @@ Flownative: # For more documentation regarding options, see http://docs.aws.amazon.com/aws-sdk-php/v2/guide/configuration.html#client-configuration-options default: + # Access Control List. Override in your own Settings.yaml with '' to not provide public read access to an object in S3 + # To access these objects use SignedCookie or SignedURL method in combination with AWS CloudFront + acl: 'public-read' + # Select the API version to use version: '2006-03-01' diff --git a/README.md b/README.md index 59f3c9b..c1d905e 100644 --- a/README.md +++ b/README.md @@ -365,8 +365,10 @@ Neos: ## Disable public-read ACL -The canned ACL "public-read" is not useful in some cases, e.g. when using CloudFront with conflicting restrictive policies. -With this option the ACL setting for the target can be disabled/removed. +The ACL for a target defaults to the setting "Flownative.Aws.S3.profiles.default.acl" but can be overwritten via targetOption "acl". + +So in case you want a different ACL than "public-read", e.g. when using CloudFront with conflicting restrictive policies. +You can either just set the above configuration setting or adjust your specific target configuration: ```yaml Neos: @@ -376,5 +378,5 @@ Neos: s3PersistentResourcesTarget: target: 'Flownative\Aws\S3\S3Target' targetOptions: - accessPolicyEnabled: false + acl: '' ```