Users can access attached files attached to media_documents without permission
SomebodySysop - February 10, 2009 - 03:53
| Project: | Media Manager |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed |
Jump to:
Description
Currently, in mmedia_nodes.module, the function mmedia_nodes_view() displays a link to the file attached to a media_document.
this code:
<?php
// we display through a presenter the media as it's derivative
$node->content['media-form-preview'] = array(
'#value' => mapi_display($filename, $profile),
'#weight' => -15,
);
?>should be modified to:
<?php
if (user_access('view attached media')) {
// we display through a presenter the media as it's derivative
$node->content['media-form-preview'] = array(
'#value' => mapi_display($filename, $profile),
'#weight' => -15,
);
}
?>I have made this modification locally and it does not allow a user to see the file attachment link unless the user has the permission.
#1
The 'view attached media' is from the mmedia_attach module.
This would cause a cross permissions problem.
Do you mean that it has to be changed in the mmedia_attach NOT to show the media if the permissions are not view attached media?
#2
I did make a modification in mmedia_attach.module within the hook_link() section.
The updated CVS has within it the following change (note the added user_access('view attached media') for checking
the permissions as they should be before the links are displayed).
function mmedia_attach_link($type, $node = NULL, $teaser = FALSE) {if ($type == 'node' && !empty($node->media) && user_access('view attached media')) {
$links = array();
foreach ($node->media as $aid => $mid) {
$object = media_attach_load($aid);
if (!empty($object->download)) {
$media = media_load($mid);
$link = theme('media_attach_link', $object, $media);
if (is_array($link)) {
$list['media media-'. $mid .' ext-'. $media->ext] = $link;
}
}
}
}
return $list;
}
#3
If this section controls the visibility of the link in a media_document node, then yes, this is it.
Problem is that I'm not entirely sure where that link comes from. I only know that making the change I made prevents it from being displayed in the media_document node, which is what I was looking for.
#4
This is actually a problem where a media_document didn't have the ability for access permissions. This has been added to the mmedia_nodes.module file in the CVS.
This should make it easier to fine tune the permission for the user roles.
#5
Automatically closed -- issue fixed for 2 weeks with no activity.