Media upload permissions not applied

mattrogowski

Well-known member
Affected version
2.2.4
Related to this report but expanding the scope of it a bit.

The permissions for uploading images/videos/audio don't seem to work correctly if the album is in a category.

When setting global usergroup permissions, if "Upload image to album" or "Upload video to album" is disabled, I can still upload an image or video:

Usergroup permissions:
1647279969629.png
New album:
1647280027160.png
Existing album:
1647280045690.png

If I disable ALL 3 permissions for images/videos/audio, it hides the button, but if any are enabled, I can upload media of any type.

The category-level permissions are not applied either. It defers to $this->Category->allowed_types, but that is just the allowed typed on the category. it doesn't check the category-level permissions at all, so all types are allowed.

1647277753015.png
1647277768548.png
Code:
public function canUploadMedia(&$error = null)
{
    if ($this->category_type == 'container')
    {
        return false;
    }
    else if ($this->category_type == 'album')
    {
        $album = $this->_em->create('XFMG:Album');
        return $album->canUploadMedia($error);
    }
    else
    {
        foreach ($this->allowed_types AS $type)
        {
            if ($type == 'image' || $type == 'video' || $type == 'audio')
            {
                return true;
            }
        }

        return false;
    }
}

When this calls $album->canUploadMedia it checks $this->allowed_types on the album, but that array contains whatever types are allowed on the category (return $this->Category->allowed_types;) so just allows everything. As permissions can be set per-category, it would be expected that those would override the global permissions, and the media types allowed on the category (i.e. if video is enabled on the category but disabled in permissions, it shouldn't be available). It means that there is no way to stop people for example uploading videos, without stopping them uploading anything at all.

If an album is not in a category, the permissions all seem to work as expected. It's only when they're in a category and XFMG\Entity\Album::getAllowedTypes() defers to $this->Category->allowed_types that the issues start to unfold as it never checks the per-category permissions anywhere.
 
Last edited:
Back
Top Bottom