I have an issue with permissions. I have two user roles on my site, and want to prevent one role from viewing pictures from the gallery. I set up the permissions accordingly, but still the pictures are visible to all users. I guess it is a bug unless I am missing something very obvious...

Comments

Project:Media» Media Gallery

This is actually a bug in the media gallery module. If you visit media/123 (Where 123 is the ID of the file) you will see permissions working, but the Media Gallery module isn't respecting them.

Version:7.x-1.0-beta5» 7.x-1.x-dev

Status:Active» Needs review
StatusFileSize
new7.84 KB

Here is a patch, which should respect the permissions.

The only access-permission, which i am not sure, if it is correct, is "remove media from gallery". Currently you can remove a media from the gallery, if you have the "Node: Gallery edit" permission. Is that also true, if you have no media permission (view/edit)? (This may be more important, when media supports a better permission-granularity.)

Status:Needs review» Needs work

The patch does not apply to latest changes in the media gallery.

Issue tags:+Beta8-blockers

Tagging.

Status:Needs work» Needs review
StatusFileSize
new7.18 KB

Recreated patch.

Changelog:
- Removed access check in media_gallery.theme.inc (If there is no access to the files, they will be removed before theming.)
= Modified media_gallery_edit_item_access to not check, whether the user has access to the node, as the user only wants to edit the media.
+ Added access check in the edit media page to remove the media from gallery (only allow, if the user has update permissions).

Status:Needs review» Reviewed & tested by the community

The patch looks good. Tested with non-auth and auth without view permissions. You can commit.

Status:Reviewed & tested by the community» Fixed

Automatically closed -- issue fixed for 2 weeks with no activity.