Allows creation of assets/directories in directories which user does not have browse access to
| Project: | Asset |
| Version: | 5.x-1.x-dev |
| Component: | User interface (Asset wizard) |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | needs review |
To reproduce, log in as a user without 'administer assets' and create a new "public" directory under your "My Assets" directory.
Then log in as a different user (also without 'administer assets') and in the browse tool click ".." and note that the "public" directory is not visible.
Then click on upload (or create directory), and notice that the public directory is listed in the dropdown, allowing you to add to that directory. Upload a new asset into one of these directories and notice that you cannot find or select that asset any more.
The root cause here is that there is no UI for browsing to a public directory that is *within* a private directory. Possibly we could create a logical UI for that (perhaps by allowing browsing of private directories without listing any non-directory contents), but it is a little harder, especially since many systems treat private directories as truly private which could be a set up for confusion.
At the very least we should not allow users to upload assets to these directories which are unreachable, and this is what the patch does. Note that users with 'administer assets' can still create root level public directories that are public, and regular users can add to these.
| Attachment | Size |
|---|---|
| dir_dropdown_perm.patch | 766 bytes |