mattrogowski
Well-known member
- Affected version
- 2.2.4
Related to this report but expanding the scope of it a bit.
The permissions for uploading images/videos/audio don't seem to work correctly if the album is in a category.
When setting global usergroup permissions, if "Upload image to album" or "Upload video to album" is disabled, I can still upload an image or video:
Usergroup permissions:
New album:
Existing album:
If I disable ALL 3 permissions for images/videos/audio, it hides the button, but if any are enabled, I can upload media of any type.
The category-level permissions are not applied either. It defers to
When this calls
If an album is not in a category, the permissions all seem to work as expected. It's only when they're in a category and
The permissions for uploading images/videos/audio don't seem to work correctly if the album is in a category.
When setting global usergroup permissions, if "Upload image to album" or "Upload video to album" is disabled, I can still upload an image or video:
Usergroup permissions:
New album:
Existing album:
If I disable ALL 3 permissions for images/videos/audio, it hides the button, but if any are enabled, I can upload media of any type.
The category-level permissions are not applied either. It defers to
$this->Category->allowed_types
, but that is just the allowed typed on the category. it doesn't check the category-level permissions at all, so all types are allowed.
Code:
public function canUploadMedia(&$error = null)
{
if ($this->category_type == 'container')
{
return false;
}
else if ($this->category_type == 'album')
{
$album = $this->_em->create('XFMG:Album');
return $album->canUploadMedia($error);
}
else
{
foreach ($this->allowed_types AS $type)
{
if ($type == 'image' || $type == 'video' || $type == 'audio')
{
return true;
}
}
return false;
}
}
When this calls
$album->canUploadMedia
it checks $this->allowed_types
on the album, but that array contains whatever types are allowed on the category (return $this->Category->allowed_types;
) so just allows everything. As permissions can be set per-category, it would be expected that those would override the global permissions, and the media types allowed on the category (i.e. if video is enabled on the category but disabled in permissions, it shouldn't be available). It means that there is no way to stop people for example uploading videos, without stopping them uploading anything at all.If an album is not in a category, the permissions all seem to work as expected. It's only when they're in a category and
XFMG\Entity\Album::getAllowedTypes()
defers to $this->Category->allowed_types
that the issues start to unfold as it never checks the per-category permissions anywhere.
Last edited: