Any user (no matter what permissions is set for him) can import file for node from "import" tab on node page.

CommentFileSizeAuthor
#2 user_access_d6.patch353 bytesliberatr

Comments

ShutterFreak’s picture

Title: Critical issue: anyone can import files » User permissions are never checked
Status: Active » Needs work

I changed the issue title as the problem is more fundamental: the module currently does not check for the user permissions defined in hook_perm().

The problem is that the module currently never checks the 'import files' user permission defined in file_import_perm().

I manually added the check to remove this option for node/%nid/file_import URLs as follows:

/**
 * Checks for node's file import tab access.
 */
function file_import_access($node) {
  // return variable_get('file_import_tab', TRUE) && file_import_access_node($node);
  return variable_get('file_import_tab', TRUE) && user_access('import files') && file_import_access_node($node);
}

Similar edits (adding && user_access('import files')) should happen throughout the code.

Hope this helps!

Olivier

liberatr’s picture

Assigned: Unassigned » liberatr
StatusFileSize
new353 bytes

siteograf and Olivier,

Submitting a patch speeds up the entire process. If you've got a spare minute, save neochief a few minutes and roll a patch.

The only place I saw this issue (at first) was during the check whether to display a tab on the node page or not. On our site the tab was showing up for anonymous users. Apparently, you have seen it in other places?