User permissions are never checked
siteograf - July 13, 2009 - 09:51
| Project: | File import |
| Version: | 6.x-1.0-beta3 |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | liberatr |
| Status: | needs work |
Description
Any user (no matter what permissions is set for him) can import file for node from "import" tab on node page.
#1
I changed the issue title as the problem is more fundamental: the module currently does not check for the user permissions defined in
hook_perm().The problem is that the module currently never checks the 'import files' user permission defined in
file_import_perm().I manually added the check to remove this option for
node/%nid/file_importURLs as follows:<?php/**
* Checks for node's file import tab access.
*/
function file_import_access($node) {
// return variable_get('file_import_tab', TRUE) && file_import_access_node($node);
return variable_get('file_import_tab', TRUE) && user_access('import files') && file_import_access_node($node);
}
?>
Similar edits (adding
&& user_access('import files')) should happen throughout the code.Hope this helps!
Olivier
#2
siteograf and Olivier,
Submitting a patch speeds up the entire process. If you've got a spare minute, save neochief a few minutes and roll a patch.
The only place I saw this issue (at first) was during the check whether to display a tab on the node page or not. On our site the tab was showing up for anonymous users. Apparently, you have seen it in other places?