I'm having an issue where I have a custom content type, and file uploads are enabled for this content type. Only users of a specific role can create this content type, and the file upload is restricted to PDF files.

However, I am able to upload the full gamut of allowed file types. I traced the issue back to the upload module:

if ($error['extension'] == $user_roles) {
            form_set_error('upload', t('The selected file %name can not be attached to this post, because it is only possible to attach files with the following extensions: %files-allowed.', array('%name' => $file->filename, '%files-allowed' => $extensions)));
            $valid = FALSE;
          }

This code is failing because the user has two roles at this point: authenticated user and my custom user role. I can easily patch the module, but since it's core, I'd rather not have to do that.

Has anyone got any advice for dealing with this issue?

Comments

webernet’s picture

Category: bug » support
Priority: Critical » Normal
Status: Active » Closed (works as designed)

User 1 can always upload any file type.

ebeyrent’s picture

Status: Closed (works as designed) » Active

Perhaps I was not clear.

This is not for user 1. This is for EVERY user of a specific role.

My site has multiple roles:

standard user
admin user
etc

Anyone who is one of these roles is ALSO an authenticated user, giving them two roles. Does this clear up the confusion?

ebeyrent’s picture

Priority: Normal » Critical

Is anyone looking at this?

ebeyrent’s picture

Category: support » bug
ebeyrent’s picture

The problem really is one of weights. In my application, I have several user roles:

standard user
partner
admin

A user who has the standard user role might also have the partner role. The standard user cannot upload files, but the parter role can upload pdf files. In the following code:

$user_roles = count($user->roles);
$valid = TRUE;
if ($error['extension'] == $user_roles) {
  form_set_error('upload', t('The selected file %name can not be attached to this post, because it is only possible to attach files with the following extensions: %files-allowed.', array('%name' => $file->filename, '%files-allowed' => $extensions)));
  $valid = FALSE;
}
elseif ($error['uploadsize'] == $user_roles) {
  form_set_error('upload', t('The selected file %name can not be attached to this post, because it exceeded the maximum filesize of %maxsize.', array('%name' => $file->filename, '%maxsize' => format_size($uploadsize))));
  $valid = FALSE;
}
elseif ($error['usersize'] == $user_roles) {
  form_set_error('upload', t('The selected file %name can not be attached to this post, because the disk quota of %quota has been reached.', array('%name' => $file->filename, '%quota' => format_size($usersize))));
  $valid = FALSE;
}

What this code (upload.module, lines 443-459) is doing is comparing the number of roles to the number of errors. Because my user has two roles, and only one of the roles can upload a pdf file, $user_roles = 2, but $error['extension'] = 1. Therefore, the upload is never seen as invalid.

I understand that there is a role weights module, and perhaps that needs to be rolled into core, and/or upload needs to respect it.

blinko’s picture

Probably a duplicate of:
http://drupal.org/node/155425

ebeyrent’s picture

It's not even remotely close to the issue I am reporting. Issue 155425 refers to disk quotas. I'm talking about file types. What makes you think the two are related??

ebeyrent’s picture

Really - forgive me for being frustrated - but I even went and pointed out the code where I think the error is happening, along with the reason why I think the error is happening. The code is comparing the number of errors to the number of roles a user has. Not only does this not makes sense to me, but it makes no sense how you can read what I wrote and think this has something to do with the size of the file being uploaded.

drumm’s picture

Status: Active » Closed (works as designed)

The intent is that permissions are the sum of the permissions from each of the user's role. If role 'Admin' can upload txt,csv,xsl and 'Beta' can upload txt,pdf, then a user with both 'Admin' and 'Beta' can upload txt,csv,xsl,pdf.

If I understand correctly, you have a node type that only one role can create/edit, and expect it to only use the upload permissions for that role. Continuing the example, if only 'Admin' has create/edit permissions, then our user should only be able to upload txt,csv,xsl.

That is not how the permissions are designed in Drupal 5 and 6. The upload permissions apply for all node types, independently of the node type's permissions. This of course can be changed in Drupal 7 if a developer takes it on; I think the UI should be improved to make who gets what permission obvious.