Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

FIX: Allow images attached to UploadFields to be unlinked without Fil…

…e::canEdit() or File::canDelete() permission.

Although editing meta-data or deleting permanently would require File editing/deleting permissions, merely linking to a record does not.  This change is important for allowing front-end use of UploadField; or, more importantly, use of UploadFile by people without CMS rights.
  • Loading branch information...
commit 2fdd9a3b13c66f6f9a8a4ba349ec225325fa0558 1 parent 4da1af9
@sminnee sminnee authored chillu committed
View
1  forms/UploadField.php
@@ -867,7 +867,6 @@ public function doEdit(array $data, Form $form, SS_HTTPRequest $request) {
// Check item permissions
$item = $this->getItem();
if(!$item) return $this->httpError(404);
- if(!$item->canEdit()) return $this->httpError(403);
// Only allow actions on files in the managed relation (if one exists)
$items = $this->parent->getItems();
View
5 templates/Includes/UploadField_FileButtons.ss
@@ -4,13 +4,12 @@
<span class="toggle-details">
<span class="toggle-details-icon"></span>
</span>
-
</button>
- <% if UploadFieldHasRelation %>
+<% end_if %>
+<% if UploadFieldHasRelation %>
<button data-href="$UploadFieldRemoveLink" class="ss-uploadfield-item-remove ss-ui-button ui-corner-all" title="<% _t('UploadField.REMOVEINFO', 'Remove this file from here, but do not delete it from the file store') %>" data-icon="plug-disconnect-prohibition">
<% _t('UploadField.REMOVE', 'Remove') %></button>
<% end_if %>
-<% end_if %>
<% if canDelete %>
<button data-href="$UploadFieldDeleteLink" class="ss-uploadfield-item-delete ss-ui-button ui-corner-all" title="<% _t('UploadField.DELETEINFO', 'Permanently delete this file from the file store') %>" data-icon="minus-circle"><% _t('UploadField.DELETE', 'Delete from files') %></button>
<% end_if %>

0 comments on commit 2fdd9a3

Please sign in to comment.
Something went wrong with that request. Please try again.