Anonymous user access to img_assist (Permission Setting) [#23292]

I just realized that the img_assist module allows anonymous users to be able to utilize it's functionality.

I believe that the img_assist module should have a new access control mechanism added that allows the admin to specify which roles are allowed to use img_assist. Currently access control exists to specify who can ADD new images, but not specify who can access the module in the first place.

In some cases, input forms are available to be utilized by Anonymous viewers (for example, by guardian.module which protects email addresses by front ending them with an input form to send email to the users). I believe other contact forms and modules exist as well that may have this issue ... in addition to other webforms (eg surveys) that anonymous users would have access to.

Currently the method of specifing access to the img_assist module as "access content" is too broad a permission set. I would favor a new permission set of "access img_assist" being added and specified.

Attached is a Patch that implements this functionality. The patch was generated with diff -ruN img_assist.module img_assist.module.syg. To apply use patch -p0 < img_assist.module

I modified the img_assist_menu() function calls to specify user_access('access img_assist') instead of user_access('access content'). I modified the img_assist_textarea() function and wrapped the entire code with:

  if(user_access('access img_assist')) {
  ....
  }

My limited testing shows that this correctly removes the access to the img assist module functionality for those roles that do not have this permission set specified. User roles that do have it specified see the img_assist functionality.

Not sure if I went about mucking the permissions in a "drupal-esque approved fashion"...but here it is...

This patch applied cleanly to two Drupal 4.6.0 production systems. I have not attempted to muck with any of the CVS versions.

Comment	File	Size	Author
#2	img_assist_1.patch	3.15 KB	shane
	img_assist_0.patch	3.35 KB	shane

Comments

Comment #1

shane commented 20 May 2005 at 20:49

Sigh... This has the unintended side effect of blocking rendering of images generated through the img_assist module for anonymous users. I'll need to evaluate and separate the code that renders it from the code that provides access to the actual rendered image.

I suspect it's in img_assist_menu() function call, but not certain.

Comment #2

shane commented 20 May 2005 at 21:20

Status	File	Size
new	img_assist_1.patch	3.15 KB

Attached is another patch. In the function img_assist_menu() hook, I changed the img_assist/gen call permission setting back to "access content". Remaining menu hooks are left with the new permission set of "access img_assist".

This allows img_assist to render images for access content roles, and block access to the ability to insert images by roles with the "access img_assist" permission set.

Works so far - no other issues found....

Comment #3

seanbfuller commented 27 October 2005 at 17:38

Thanks for the patch, this is a pretty big issue IMO.

Comment #4

SorcererXIII commented 20 November 2005 at 08:39

When will this be included in the actual module?

Also a good thing to have would be better control over page types that can access it . . . I can't figure out how to turn it off for just forums, for example.

Comment #5

rimshot commented 22 February 2006 at 01:22

Thank You! For this patch. I was getting frustrated trying to find a solution until I came across your patch. I would like to vote for this to be included in the main branch. Also, I see in the last posting of this thread, someome was asking that they wanted to restrict it on the forums. Basically, this patch does that. In my case I have a "site admin" role which I gave access to the "access img_assist" in the "access control" area and now only the site admin can upload and add images, but authenitcated users can not. Thus, this works just fine for not allowing users access to the img_assist who have access to the forums. I think this patch does exactly what I want. Thanks again!