Image.module image_perm function does not expose permission "access images". This means that anonymous users cannot be allowed to see images in the non personal images gallery. This permission is checked throughout the module but cannot be set on the administration panels.
Fix:
Old code ------
function image_perm() {
return array("has personal image gallery", "manipulate images", "create images", "administer images");
}
Fixed code ------
function image_perm() {
return array("access images", "has personal image gallery", "manipulate images", "create images", "administer images");
}
Comments
Comment #1
moshe weitzman commentedComment #2
menesis commentedI think it should be fixed the other way around - use 'access content' permission to control access to images and drop 'access images'. Other node type modules do not have separate access permissions. Will attach an one-line patch.
Comment #3
Uwe Hermann commentedComment #4
rshannon commentedI've tried this patch with both "access images" and with "access content" and neither seems to be allowing anon access to images. Is this patch working for others? If so, in which form?
Comment #5
rshannon commentedDisregard previous. Use of "access images" does work fine, if properly activated, saved, etc. Duh.
Comment #6
adamrice commentedThe proposed patch does work for me. I agree that this should simply inherit the perms for "node". It's also interesting that, even with this permission-problem in place, it's possible to jump directly to an image if you have its node URL -- it's simply the gallery listings that are off-limits.
Comment #7
adamrice commentedOops--incorrectly marked as closed.
Comment #8
malfunct commentedIf you change the image_access function to the below:
/**
* Function to determine whether a user has access to this node or not.
*
* Return 0 (or False) if the user should be denied access.
* Return Any other value if the user should be granted access.
*/
function image_access($op, $node) {
global $user;
if(!user_access("access images"))
{
return FALSE;
}
// For create access if the user has create permissions
if ($op == "create") {
return user_access("create images") || _image_can_personal();
}
// allow the creator of the node to update it
if ($op == "update" && $user->uid == $node->uid) {
return TRUE;
}
// allow the creator of the node to delete it
if ($op == "delete" && $user->uid == $node->uid) {
return TRUE;
}
}
It will block access to the image node if the user doesn't have the access images permission. I think this is the right way to make the access images permission have substance.
Comment #9
(not verified) commentedThis code worked brilliantly - thank you
Comment #10
Zed Pobre commentedThis bug (and patch) apply to the pre-rewrite code, and aren't applicable to the current image.module.