Merge pull request #50 from HifiExperiments/asset-security

Asset Security Documentation
overte-org · Jun 28, 2024 · 5ab878d · 5ab878d
2 parents 8e6cf76 + 09215dd
commit 5ab878d
Show file tree

Hide file tree

Showing 6 changed files with 111 additions and 31 deletions.
diff --git a/source/create/avatars/create-avatars.rst b/source/create/avatars/create-avatars.rst
@@ -14,7 +14,7 @@ There are three ways to get your own avatar. You can either:
 
 .. note:: If you get an avatar from an external source such as TurboSquid, CGTrader, MakeHuman, or VRoid Studio, it is likely that the skeleton does not match our :doc:`avatar standards <avatar-standards>`. To use these avatars with Overte, use the `Overte Avatar Exporter for Unity <find-avatars.html#overte-avatar-exporter-for-unity>`_ to correctly map the skeleton and package your avatar.
 
-If you want to create an avatar from scratch, this page covers the steps needed to create, rig, and package your avatar.
+If you want to create an avatar from scratch, this page covers the steps needed to create, rig, and package your avatar. Learn more about the :doc:`security of your assets <../../security/asset-security>`.
 
 .. contents:: On This Page
     :depth: 2

diff --git a/source/create/avatars/find-avatars.rst b/source/create/avatars/find-avatars.rst
@@ -7,6 +7,7 @@ Find and Use an Existing Avatar
 ###############################
 
 You can download avatars for use from external sources such as TurboSquid or CGTrader. Once you get the avatar, you will need to process it in Unity using the Overte Avatar Exporter. This tool imports most avatars into Unity, maps their skeleton using Unity's humanoid tool, and exports them as FST and FBX files to import in-world.
+Learn more about the :doc:`security of your assets <../../security/asset-security>`.
 
 .. contents:: On This Page
     :depth: 3
@@ -50,7 +51,7 @@ Install the Avatar Exporter
 
 You need to install the extension for every Unity project that you have. Keep in mind, however, that you can import and export multiple avatars in a single Unity project.
 
-1. Download the `avatar exporter <https://github.com/overte-org/overte/blob/master/tools/unity-avatar-exporter/avatarExporter.unitypackage?raw=true>`_ from Overte. 
+1. Download the `avatar exporter <https://github.com/overte-org/overte/blob/master/tools/unity-avatar-exporter/avatarExporter.unitypackage?raw=true>`_ from Overte.
 2. In Unity, open the 'Project' window at the bottom.
 
 .. image:: _images/project-window.png

diff --git a/source/host/add-content/create-content.rst b/source/host/add-content/create-content.rst
@@ -7,15 +7,16 @@ Build and Add Your Own Content
 ##############################
 
 Maybe you've wandered around the metaverse, and you're inspired by the creativity of others. Or maybe none of the other domains really fit the atmosphere of what you have in mind. Whatever the reason, you're ready to branch out and build content of your own. If you don't know where to begin, this is a great place to start.
+Learn more about the :doc:`security of your assets <../../security/asset-security>`.
 
 .. contents:: On This Page
     :depth: 2
 
 --------------------------
-Tools for Creating Content 
+Tools for Creating Content
 --------------------------
 
-A content set is simply a collection of many different entities, models and scripts working together to form an interactive environment. Visit our :doc:`Create <../../create>` section to learn more about the available tools and examples of how to make your environment more alive: 
+A content set is simply a collection of many different entities, models and scripts working together to form an interactive environment. Visit our :doc:`Create <../../create>` section to learn more about the available tools and examples of how to make your environment more alive:
 
 * :doc:`Create Tools <../../create/tools>`
 * :doc:`All About Entities <../../create/entities>`
@@ -27,15 +28,15 @@ A content set is simply a collection of many different entities, models and scri
 Techniques for Creating Content Sets
 ------------------------------------
 
-Creating a content set can be complicated because you're designing an entire environment, rather than one single item. Its like building an entire city, which is comprised of many buildings, trees and roads. Some artists want to share their progress, each step along the way. Others want to wait to show off their creation until the final build is complete. 
+Creating a content set can be complicated because you're designing an entire environment, rather than one single item. Its like building an entire city, which is comprised of many buildings, trees and roads. Some artists want to share their progress, each step along the way. Others want to wait to show off their creation until the final build is complete.
 
 We let you choose how you want to build and deploy your content. The process for updating the content set on your domain will differ based on the approach you use to build your content. Choose the method that fits you best to learn more:
 
 +------------------------+------------------------------------------------------------------------------------------------------+
 | Method                 | Description                                                                                          |
 +========================+======================================================================================================+
 | `Make Live Updates`_   | As you make a change to your content, it will show up immediately in your domain in the metaverse.   |
-|                        | This means that any visitors in your domain will see the changes as they happen.                     | 
+|                        | This means that any visitors in your domain will see the changes as they happen.                     |
 +------------------------+------------------------------------------------------------------------------------------------------+
 | `Under Construction`_  | During the time that you're constructing your content set, your domain is offline to outside         |
 |                        | visitors. Users will be unable to visit your domain while it is under construction.                  |
@@ -50,7 +51,7 @@ We let you choose how you want to build and deploy your content. The process for
 Make Live Updates
 ^^^^^^^^^^^^^^^^^
 
-Live updates are made anytime you or any other user in your domain makes changes to the content. In order to make changes, a user must have the 'Rez' permission turned on. 
+Live updates are made anytime you or any other user in your domain makes changes to the content. In order to make changes, a user must have the 'Rez' permission turned on.
 
 Before going this route, decide on who (if anyone) you would like to change your content set, and :doc:`verify that their rez permissions are set correctly <../configure-settings/permission-settings>`. If you're going to be the one making changes, then ensure that you have rez rights. To update your content, all you need to is visit your domain and start making changes using the :doc:`Create Tools <../../create/tools>`.
 
@@ -63,18 +64,18 @@ Your server makes regular archives of the content in your domain. Visit your Dom
 Under Construction
 ^^^^^^^^^^^^^^^^^^
 
-While you make changes to your content set, you can take down your domain temporarily and prevent users from visiting while it is under construction. 
+While you make changes to your content set, you can take down your domain temporarily and prevent users from visiting while it is under construction.
 
 To do this, simply the remove the 'Connect' permission for all users other than yourself (and any other co-creators working alongside you). When you are done, all you need to do is re-enable the 'Connect' permission.
 
 1. Open your domain settings.
 
     * For cloud hosted domains: Open a browser and enter the URL http://<insert your server's IP address here>:40100/settings. Log in when prompted.
-    * For local servers on Windows: Click on the Overte icon in the system tray, then click 'Settings'. 
+    * For local servers on Windows: Click on the Overte icon in the system tray, then click 'Settings'.
     * For local servers on Mac: Right-click the Overte icon on the top menu bar, then click 'Settings'.
 2. On the top menu bar, select **Settings > Security**.
-3. Scroll to 'Standard Permissions'. 
-4. For each Permissions group, uncheck the 'Connect' permission for all users and groups (except yourself and anyone else working on the content). 
+3. Scroll to 'Standard Permissions'.
+4. For each Permissions group, uncheck the 'Connect' permission for all users and groups (except yourself and anyone else working on the content).
 5. Click 'Save' and close the Domain Settings page.
 
 Once you have set the permissions, visit your domain and begin building your content set using the :doc:`Create Tools <../../create/tools>`. We recommend locking all of your content so that it cannot be modified by visitors to your domain.
@@ -88,7 +89,7 @@ When you're done, follow the above steps to re-enable the Connect permission for
 Create and Deploy
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-The final technique for building a content set follows a basic development workflow: 
+The final technique for building a content set follows a basic development workflow:
 
 * Build content in an offline environment
 * (Optional) Build and test it
@@ -97,7 +98,7 @@ The final technique for building a content set follows a basic development workf
 
 We recommend using this method if you want to avoid interruption to your domain while you build your content, deploy your content set to multiple domains, or test your content before you deploy.
 
-1. Install Overte's open source Client + Sandbox software on a computer that is _not_ running as a local server. 
+1. Install Overte's open source Client + Sandbox software on a computer that is _not_ running as a local server.
 2. Open a Sandbox not connected to a local server.
 3. Build your content set in the Sandbox.
 4. `Export your content to JSON <export-content.html#export-entities-to-json>`_.

diff --git a/source/host/configure-settings/permission-settings.rst b/source/host/configure-settings/permission-settings.rst
@@ -11,27 +11,27 @@ You can protect your domain by setting user permission for the visitors in your
 Set User Permissions
 --------------------
 
-Permissions can be assigned to standard user groups, custom user groups, specific users, users from a specific IP, and users from specific computers. 
+Permissions can be assigned to standard user groups, custom user groups, specific users, users from a specific IP, and users from specific computers.
 
-The permissions for a user will be the sum of all groups that the user is in. For example, let's say that all logged in users can connect and only localhost users can rez entities. If a user is both logged in and on localhost, then they will be able to both connect and rez entities. Additionally, when you assign user permissions to a specific user, it will supersede any group-level permissions that otherwise might apply to that user.  
+The permissions for a user will be the sum of all groups that the user is in. For example, let's say that all logged in users can connect and only localhost users can rez entities. If a user is both logged in and on localhost, then they will be able to both connect and rez entities. Additionally, when you assign user permissions to a specific user, it will supersede any group-level permissions that otherwise might apply to that user.
 
-To assign user permissions: 
+To assign user permissions:
 
 1. Open your domain settings.
 
     * For cloud hosted domains: Open a browser and enter the URL http://<insert your server's IP address here>:40100/settings. Log in when prompted.
-    * For local servers on Windows: Click on the Overte icon in the system tray, then click 'Settings'. 
+    * For local servers on Windows: Click on the Overte icon in the system tray, then click 'Settings'.
     * For local servers on Mac: Right-click the Overte icon on the top menu bar, then click 'Settings'.
     * For any OS: Open a browser and enter the URL http://localhost:40100/settings.
 2. Scroll to 'Domain-Wide User Permissions'.
 3. First, set any permissions for the `standard user groups`_. Check the box of all permissions you'd like to grant.
 4. To assign all other permissions, you need to add a custom group, specific user, etc individually to the correct permissions table:
 
     * **Add Group**: Enter the name of the custom group or list, then click the ``+`` icon. Save your domain settings to load ranks. Check the box of all permissions you'd like to grant or deny (depending on the permissions table you are adding the group to).
-    
-        .. image:: ../_images/group-permissions.png 
+
+        .. image:: ../_images/group-permissions.png
     * **Add Specific User**: Click the ``+`` icon, then enter a specific user name. Check the box of all permissions you'd like to grant.
-    
+
         .. image:: ../_images/user-permissions.png
     * **Add IP Address, MAC Address, or Machine Fingerprint**: Click the ``+`` icon, then enter the information (based on the permissions table you are adding permission to). Check the box of all permissions you'd like to grant.
 5. Click 'Save' to save your domain settings.
@@ -40,7 +40,7 @@ To assign user permissions:
 Standard User Groups
 -----------------------------
 
-Your domain comes with four basic security groups that are already set up, based on the people that you will interact with in the metaverse. They are: 
+Your domain comes with four basic security groups that are already set up, based on the people that you will interact with in the metaverse. They are:
 
 +-----------+--------------------------------------------------------------------------------------------+
 | User Type | Description                                                                                |
@@ -65,7 +65,7 @@ Your domain comes with four basic security groups that are already set up, based
 
 The 'Connect' permission for these standard user groups determine the privacy level of your domain:
 
-* **Public**: A public domain allows 'anonymous' and/or 'logged-in' users to connect to it. These domains may be shown in the Explore app and in other places around the metaverse. 
+* **Public**: A public domain allows 'anonymous' and/or 'logged-in' users to connect to it. These domains may be shown in the Explore app and in other places around the metaverse.
 * **Private**: A private domain does not allow 'anonymous' and/or 'logged-in' users to connect to it. Domain owners are responsible for promoting their domains to other users and maintaining connect permissions for users to enter their domain.
 
 ----------------
@@ -90,15 +90,6 @@ The actions that you can secure for each type of user are as follows:
 |                         | Maximum Lifetime of Temporary Entities**). These users will also have full   |
 |                         | access to the **Create** app.                                                |
 +-------------------------+------------------------------------------------------------------------------+
-| Rez Certified           | This was used to set whether a user can permanently create (or rez) new      |
-|                         | entities that were purchased from the Marketplace. Right now it does         |
-|                         | nothing.                                                                     |
-+-------------------------+------------------------------------------------------------------------------+
-| Rez Temporary Certified | This was used to set whether a user can create (or rez) new entities from    |
-|                         | the Marketplace for a finite lifetime (the lifetime is set in **Domain       |
-|                         | Settings > Entities > Advanced Settings > Maximum Lifetime of Temporary      |
-|                         | Entities**). Right now it does nothing.                                      |
-+-------------------------+------------------------------------------------------------------------------+
 | Write Assets            | Sets whether a user can add assets (models, audio,  or other files) or make  |
 |                         | changes to the domain's asset server (your domain's file storage space).     |
 +-------------------------+------------------------------------------------------------------------------+
@@ -117,3 +108,8 @@ The actions that you can secure for each type of user are as follows:
 |                         | <https://apidocs.overte.org/Entities.html#.EntityProperties>`_ type          |
 |                         | definition.                                                                  |
 +-------------------------+------------------------------------------------------------------------------+
+| Can View Asset URLs     | Sets whether a user can view asset URLs in **Create** and scripts. If a user |
+|                         | doesn't have this permission, the URLs will be reported as empty strings.    |
+|                         | Note: this is only a client-side protection. Learn more about                |
+|                         | :doc:`asset security <../../security/asset-security>`.                       |
++-------------------------+------------------------------------------------------------------------------+
diff --git a/source/security.rst b/source/security.rst
@@ -9,3 +9,4 @@ Security information about the project and its components: Interface, server, an
     :titlesonly:
 
     Crash Reporting <security/crash-reporting.rst>
+    Asset Security <security/asset-security.rst>