API File->canEdit() returns TRUE by default (not checking CMS perms)
This is a measure to support form fields and controllers interacting with files in different contexts, for example an UploadField used in a ModelAdmin, or a website frontend. The check for 'CMS_ACCESS_AssetAdmin' was too restricting. This wasn't a problem in 2.x simply because the old FileField/Upload classes didn't respect File->can*() permissions.
|@@ -9,4 +9,5 @@|
|* Removed defunct or unnecessary debug GET parameters:|
|* Removed `Member_ProfileForm`, use `CMSProfileController` instead|
|- * `SiteTree::$nested_urls` enabled by default. To disable, call `SiteTree::disable_nested_urls()`.|
|+ * `SiteTree::$nested_urls` enabled by default. To disable, call `SiteTree::disable_nested_urls()`.|
|+ * Removed CMS permission checks from `File->canEdit()` and `File->canDelete()`. If you have unsecured controllers relying on these permissions, please override them through a `DataExtension`.|