Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

API File->canEdit() returns TRUE by default (not checking CMS perms)

This is a measure to support form fields and controllers
interacting with files in different contexts,
for example an UploadField used in a ModelAdmin,
or a website frontend. The check for 'CMS_ACCESS_AssetAdmin'
was too restricting. This wasn't a problem in 2.x simply because
the old FileField/Upload classes didn't respect File->can*()
  • Loading branch information...
commit a3295e2a37b6231a7c60dc4facc09e14372ae5a7 1 parent 7023669
@chillu chillu authored
Showing with 3 additions and 2 deletions.
  1. +2 −1  docs/en/changelogs/
  2. +1 −1  filesystem/File.php
3  docs/en/changelogs/
@@ -9,4 +9,5 @@
* Removed defunct or unnecessary debug GET parameters:
`debug_profile`, `debug_memory`, `profile_trace`, `debug_javascript`, `debug_behaviour`
* Removed `Member_ProfileForm`, use `CMSProfileController` instead
- * `SiteTree::$nested_urls` enabled by default. To disable, call `SiteTree::disable_nested_urls()`.
+ * `SiteTree::$nested_urls` enabled by default. To disable, call `SiteTree::disable_nested_urls()`.
+ * Removed CMS permission checks from `File->canEdit()` and `File->canDelete()`. If you have unsecured controllers relying on these permissions, please override them through a `DataExtension`.
2  filesystem/File.php
@@ -293,7 +293,7 @@ public function canEdit($member = null) {
$result = $this->extendedCan('canEdit', $member);
if($result !== null) return $result;
- return Permission::checkMember($member, 'CMS_ACCESS_AssetAdmin');
+ return true;
Please sign in to comment.
Something went wrong with that request. Please try again.