[2009-05-18] Enforce File/Image->can*() permissions in FileIframeField and ImageField #717
Assignees
Comments
ghost
assigned 
|
comment by: @sminnee (sminnee) This is still an issue. |
|
these fields don't exist in 4 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
created by: @chillu (ischommer)
assigned to: @chillu (ischommer)
created at: 2009-05-18
original ticket: http://open.silverstripe.org/ticket/4084
Currently, these permissions are only enforced for folders in AssetAdmin, not for files in the popup.
Enforce this in the form display on FileIframeField and ImageField, e.g. by removing the "delete" button.
Also check the permissions before executing save() or delete() on the fields.
One problem is that File->canEdit() currently checks for CMS_ACCESS_AssetAdmin permissions, making the field unuseable for website users without CMS access. We might want to add a strict check for a new FILE_EDIT permission, that kicks in if defined, but falls back to CMS_ACCESS_AssetAdmin otherwise.
The text was updated successfully, but these errors were encountered: