Posted by sbart76 on September 21, 2011 at 12:19pm
5 followers
| Project: | Media Gallery |
| Version: | 7.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed (fixed) |
| Issue tags: | Beta8-blockers |
Issue Summary
I have an issue with permissions. I have two user roles on my site, and want to prevent one role from viewing pictures from the gallery. I set up the permissions accordingly, but still the pictures are visible to all users. I guess it is a bug unless I am missing something very obvious...
Comments
#1
This is actually a bug in the media gallery module. If you visit media/123 (Where 123 is the ID of the file) you will see permissions working, but the Media Gallery module isn't respecting them.
#2
#3
Here is a patch, which should respect the permissions.
The only access-permission, which i am not sure, if it is correct, is "remove media from gallery". Currently you can remove a media from the gallery, if you have the "Node: Gallery edit" permission. Is that also true, if you have no media permission (view/edit)? (This may be more important, when media supports a better permission-granularity.)
#4
The patch does not apply to latest changes in the media gallery.
#5
Tagging.
#6
Recreated patch.
Changelog:
- Removed access check in media_gallery.theme.inc (If there is no access to the files, they will be removed before theming.)
= Modified media_gallery_edit_item_access to not check, whether the user has access to the node, as the user only wants to edit the media.
+ Added access check in the edit media page to remove the media from gallery (only allow, if the user has update permissions).
#7
The patch looks good. Tested with non-auth and auth without view permissions. You can commit.
#8
Committed: http://drupalcode.org/project/media_gallery.git/commit/203c30b54bd8ff329...
#9
Automatically closed -- issue fixed for 2 weeks with no activity.