Closed (fixed)
Project:
Media Gallery
Version:
7.x-1.x-dev
Component:
Code
Priority:
Normal
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
21 Sep 2011 at 12:19 UTC
Updated:
4 Jan 2014 at 01:11 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #1
JacobSingh commentedThis is actually a bug in the media gallery module. If you visit media/123 (Where 123 is the ID of the file) you will see permissions working, but the Media Gallery module isn't respecting them.
Comment #2
JacobSingh commentedComment #3
moloc commentedHere is a patch, which should respect the permissions.
The only access-permission, which i am not sure, if it is correct, is "remove media from gallery". Currently you can remove a media from the gallery, if you have the "Node: Gallery edit" permission. Is that also true, if you have no media permission (view/edit)? (This may be more important, when media supports a better permission-granularity.)
Comment #4
lsolesen commentedThe patch does not apply to latest changes in the media gallery.
Comment #5
lsolesen commentedTagging.
Comment #6
moloc commentedRecreated patch.
Changelog:
- Removed access check in media_gallery.theme.inc (If there is no access to the files, they will be removed before theming.)
= Modified media_gallery_edit_item_access to not check, whether the user has access to the node, as the user only wants to edit the media.
+ Added access check in the edit media page to remove the media from gallery (only allow, if the user has update permissions).
Comment #7
lsolesen commentedThe patch looks good. Tested with non-auth and auth without view permissions. You can commit.
Comment #8
moloc commentedCommitted: http://drupalcode.org/project/media_gallery.git/commit/203c30b54bd8ff329...