Users without fedoraAdmin role can't upload images; other roles needed

[kayakr]

With a fresh install, uid1 can add a Repository Item with model=Image, add Member media of type Image, and node displays image.

With a new user with administrator role (by default, receives all available permissions):

• drush user:create administrator --mail="administrator@example.com" --password="administrator"
• drush user:role:add "administrator" administrator

Add Repository Item with model=Image, add Member media of type Image, Media User=Original file, on "Save", error message "This value should be of the correct primitive type." displays with Alternative text input highlighted (even though Alternative text contains data).

Drupal watchdog reports "The file permissions could not be set on fedora://2019-02/PH17-003.jpg." and "Source image at fedora://2019-02/PH17-003.jpg not found while trying to generate derivative image at fedora://styles/thumbnail/fedora/2019-02/PH17-003.jpg."

web/sites/default/files/2019-02 only contains Service File and Thumbnail Image jpegs from uid1 earlier.

Adding extra role fedoraAdmin to administrator user allows the image upload to proceed.

Sounds like something special is happening for fedoraAdmin role that should available for other roles...?

[kayakr]

As uid1, if I add Repository Item node with Model=Binary, add File media with a .tif file then media is accepted for uid1 and OpenSeadragon renders tiled image viewable by uid1 and uid3/administrator role.

If I remove fedoraAdmin role from uid3, then uid3/administrator role can add node/file media but when viewing via OpenSeadragon I get message in OpenSeadragon "Unable to open [object Object]: HTTP 404 attempting to load TileSource", js console shows "Failed to load resource: the server responded with a status of 404 (Not Found)" for URL http://localhost:8080/cantaloupe/iiif/2/_flysystem%2Ffedora%2F2019-02%2FLyttelton-002.tif/info.json
uid1 sees the same error when viewing the node added by uid3.

[whikloj]

@kayakr yes, this is due to WebAC and the fact that we don't do anything with WebAC yet. So the default policy in Fedora is read-only unless has role fedoraAdmin.

So for the claw-playbook we add the role and add admin to it [1].

So we could define a different default WebAC and apply that, but we haven't...yet.

[dannylamb]

Maybe we can rig Syn/Fedora to use the authenticated user role instead of fedoraAdmin by default?

[whikloj]

That would give every user of Drupal admin rights to your Fedora and the abililty to add/edit/delete. I think altering Syn to accept a configurable "admin" role is better. But also, we could add a default WebAC for the claw-playbook that would allow read-write to all users by default.

[dannylamb]

Eh... yeah... For vagrant that more permissive default is fine, but for anything else, you're right. I see we need to make the distinction between a drupal user and a drupal user that can write to fedora for most other situations. I'm not sure what a better default would be. Documentation would certainly help in the interim, so I'll toss this on the pile of requested documentation and maybe we can handle it during the sprint.

[xurizaemon]

Suggest the title be renamed "Users without fedoraAdmin role can't upload images" as I think that's the crux of this issue?

Seems like WebAC Authorization Delegate and Web AC Auth Delegate: Example Scenarios are the adjacent docs, I'm going to give that a try on a local instance.

[antbrown]

I faced a reasonably similar issue this morning, in that as an anonymous user I couldn't create images and got the same error message "The file permissions could not be set on fedora://..."

Here's how the situation arose:

1. As an Editor (I have the fedoraAdmin role) I add a Media entity to a Node and click Save (published = true)
2. The Media is rendered through a View Mode which formats the Image using a Responsive Image formatter
3. I now open the page in a private browser session (Anonymous user, without the fedoraAmin role) and try to resize the page to see how the images are going to look on different devices
4. I see the image that was rendered while I was logged in as an Editor, but as I resize the page none of the other images load
5. As an Admin I see the log entries with "The file permissions could not be set on fedora://..." for each of the image styles in the responsive image configuration (except for the one I loaded while I was an editor)

The old plain image field stored images at sites/default/files/... but now that I'm using a media entity reference field it is storing the image using uri_scheme: fedora. Is there a way to tell it to store the image styles using uri_scheme: public?

Many thanks!

[antbrown]

One way I thought of getting around this - for the case I outlined above is to override ImageStyle and re-route styles to the public uri scheme, if they match any of the styles that are meant for public consumption:

// .module file
use Drupal\Core\Entity\EntityTypeInterface;
use Drupal\dhr_media\Entity\PublicImageStyle;

/**
 * @param EntityTypeInterface[] $entity_types
 */
function dhr_media_entity_type_build(&$entity_types) {
  if (isset($entity_types['image_style'])) {
    $entity_types['image_style']->setClass(PublicImageStyle::class);
  }
}

And, the override:

namespace Drupal\dhr_media\Entity;

use Drupal\image\Entity\ImageStyle;
use Drupal\Core\StreamWrapper\StreamWrapperManager;

class PublicImageStyle extends ImageStyle {

  protected const PUBLIC_IMAGE_STYLES = [
    'dhr_bootstrap_breakpoint_xs',
    'dhr_bootstrap_breakpoint_sm',
    'dhr_bootstrap_breakpoint_md',
    'dhr_bootstrap_breakpoint_lg_xl',
  ];

  /**
   * {@inheritDoc}
   */
  public function buildUri($uri) {
    $uri = parent::buildUri($uri);
    if (in_array($this->id(), self::PUBLIC_IMAGE_STYLES)) {
      $scheme = StreamWrapperManager::getScheme($uri);
      if ($scheme !== 'public') {
        $scheme_pos = strpos($uri, $scheme);
        if ($scheme_pos !== FALSE) {
          $uri = substr_replace($uri, 'public', $scheme_pos, strlen($scheme));
        }
      }
    }
    return $uri;
  }

}