WebFM File Attachments fieldset is shown to users that dont have upload/attach permission
6174604 - May 24, 2009 - 04:23
| Project: | Web File Manager |
| Version: | 6.x-2.10-rc4 |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | by design |
Jump to:
Description
Hi guys,
Just noticed a weird thing today. The WebFM File Attachments collapsible fieldset are available to users that don't have any upload permission at all (they don't have the upload dialog tho, only the tree listing). When they try to attach the file listed in the tree, they will get an "invalid permission" error. So I dont see any points of it being there.
Users with just "access webfm" are able to see it, nothing else is set for them.
Is this a kind of feature or is it a bug? Have anyone experienced it already?
Please let me know.
Thanks
P/S: I attached a picture showing anon user see the WebFM File attachments fieldset with "access webfm" permission only
| Attachment | Size |
|---|---|
| webfm.jpg | 81.45 KB |
#1
Ok, I think i found the bit of code that cause this:
if(($user->uid == 1) || user_access('administer webfm') || user_access('access webfm'))
$access = TRUE;
else
$access = FALSE;
if ($form_id == 'node_type_form' && $access) {
$form['workflow']['webfm_attach'] = array(
'#type' => 'radios',
'#title' => t('WebFM Attachments'),
'#default_value' => variable_get('webfm_attach_'.$form['#node_type']->type, 0),
'#options' => array(0 => t('Disabled'), 1 => t('Enabled')),
'#description' => t('Should this content type allow upload & file attachment via WebFM?'),
);
}
On the first line, why should 'access webfm' permitted user see the WebFM Attachments fieldset tho? Shouldn't it be 'webfm upload' instead? Or a combination && of both...
#2
Users with 'webfm access' can attach files to nodes regardless if they have upload rights or not. Your version of the module might behave differently because it looks like it has been hacked - the context menu is not standard.