Closed (works as designed)
Project:
Drupal core
Version:
5.5
Component:
upload.module
Priority:
Critical
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
19 Dec 2007 at 17:57 UTC
Updated:
21 Dec 2008 at 02:37 UTC
I'm having an issue where I have a custom content type, and file uploads are enabled for this content type. Only users of a specific role can create this content type, and the file upload is restricted to PDF files.
However, I am able to upload the full gamut of allowed file types. I traced the issue back to the upload module:
if ($error['extension'] == $user_roles) {
form_set_error('upload', t('The selected file %name can not be attached to this post, because it is only possible to attach files with the following extensions: %files-allowed.', array('%name' => $file->filename, '%files-allowed' => $extensions)));
$valid = FALSE;
}
This code is failing because the user has two roles at this point: authenticated user and my custom user role. I can easily patch the module, but since it's core, I'd rather not have to do that.
Has anyone got any advice for dealing with this issue?
Comments
Comment #1
webernet commentedUser 1 can always upload any file type.
Comment #2
ebeyrent commentedPerhaps I was not clear.
This is not for user 1. This is for EVERY user of a specific role.
My site has multiple roles:
standard user
admin user
etc
Anyone who is one of these roles is ALSO an authenticated user, giving them two roles. Does this clear up the confusion?
Comment #3
ebeyrent commentedIs anyone looking at this?
Comment #4
ebeyrent commentedComment #5
ebeyrent commentedThe problem really is one of weights. In my application, I have several user roles:
standard user
partner
admin
A user who has the standard user role might also have the partner role. The standard user cannot upload files, but the parter role can upload pdf files. In the following code:
What this code (upload.module, lines 443-459) is doing is comparing the number of roles to the number of errors. Because my user has two roles, and only one of the roles can upload a pdf file, $user_roles = 2, but $error['extension'] = 1. Therefore, the upload is never seen as invalid.
I understand that there is a role weights module, and perhaps that needs to be rolled into core, and/or upload needs to respect it.
Comment #6
blinko commentedProbably a duplicate of:
http://drupal.org/node/155425
Comment #7
ebeyrent commentedIt's not even remotely close to the issue I am reporting. Issue 155425 refers to disk quotas. I'm talking about file types. What makes you think the two are related??
Comment #8
ebeyrent commentedReally - forgive me for being frustrated - but I even went and pointed out the code where I think the error is happening, along with the reason why I think the error is happening. The code is comparing the number of errors to the number of roles a user has. Not only does this not makes sense to me, but it makes no sense how you can read what I wrote and think this has something to do with the size of the file being uploaded.
Comment #9
drummThe intent is that permissions are the sum of the permissions from each of the user's role. If role 'Admin' can upload txt,csv,xsl and 'Beta' can upload txt,pdf, then a user with both 'Admin' and 'Beta' can upload txt,csv,xsl,pdf.
If I understand correctly, you have a node type that only one role can create/edit, and expect it to only use the upload permissions for that role. Continuing the example, if only 'Admin' has create/edit permissions, then our user should only be able to upload txt,csv,xsl.
That is not how the permissions are designed in Drupal 5 and 6. The upload permissions apply for all node types, independently of the node type's permissions. This of course can be changed in Drupal 7 if a developer takes it on; I think the UI should be improved to make who gets what permission obvious.