media icon indicating copy to clipboard operation
media copied to clipboard
verified publisher icon fabarea

Wrong permissions with non-admins

Open kraemer-igroup opened this issue 10 years ago • 5 comments

I noticed two issues and think it is not a configuration error.

Media module for non-admins: all files from general file storage are shown, not just from the assigned filemount.

Media filepicker for non-admins: filemount is respected, but there are no files from contained subfolders.

TYPO3 6.2.14 with media 3.7.2 and vidi 1.3.1

kraemer-igroup avatar Dec 01 '15 14:12 kraemer-igroup

With the "has_folder_tree" option it is possible to see all files (filepicker), but again its all files from file storage and not just from the assigned filemount as expected. Also you have to click the subfolder option every time and only see the option if you opened the settings on the top right before...

Even with "has_folder_tree" activated the media module shows all files if no folder ist selected. So permission comes only for the tree and from folder selection instead of checking user permissions when fetching the file list.

We temporary "fixed" the subfolder issue by removing this if block: https://github.com/fabarea/media/blob/master/Classes/Security/FilePermissionsAspect.php#L72

kraemer-igroup avatar Dec 01 '15 15:12 kraemer-igroup

We encountered the same problem. And applied this work-around. Will this be fixed in a future 3.7.x version? Thank you for your answer Fabian, and thanks for your work!

hansup avatar Aug 25 '16 11:08 hansup

I can confirm, I am not experimenting permission problem with 3.7.x for non-admin user.

fabarea avatar Aug 29 '16 19:08 fabarea

We still have this issue in 4.3.0 If a non-admin user gets the media popup to add for example an image, he doesn't see any images. When I comment out $matcher->in('uid', $collectedFiles) in FilePermissionsAspect.php the files are shown. Am I missing something in my configuration?

Non-admins are able to upload using the Media module to this same filemount, so it doesn't look like a permission issue.

abvdveen avatar Jan 23 '17 13:01 abvdveen

Problem still exists! Why is there even this check in FilePermissionsAspect.php:68?

Previously I've created an issue for that for ext:vidi. To reproduce:

I'm tryint to create a directory for each BE-user where each user can only add files to his own directory but can see and "interact" with files from other users. Like user1 adds a file and user2 can use this file in content element "Text & Media".

This is my setup:

Directories:

  1. /fileadmin/user_uploads/Users/
  2. /fileadmin/user_uploads/Users/user1/
  3. /fileadmin/user_uploads/Users/user2/

Filemounts:

  1. "Read user files": read-only for directory 1
  2. "User: user1": Full rights for directory 2
  3. "User: user2": Full rights for directory 3

BE-groups:

  1. Read user files
    • Filemounts: "[1] Read user files"

BE-users:

  1. user1
    • BE-Group: "[1] Read user files"
    • Filemounts: "[2] User: user1"
  2. user2
    • BE-Group: "[1] Read user files"
    • Filemounts: "[3] User: user2"

"[1] user1" uploaded a file to his directory "[2] user1" and "[2] user2" can see this file in core-module "Filelist", the module "Media" from ext:media and in the core-fileselect that is used to add a file reference to for example a content element of type "Text & Media".

The vidi-fileselect does not show the file from user1 to user2.

simplychrislike avatar Nov 28 '18 18:11 simplychrislike