ACL checks in the media file details ajax calls only for root/arbitrary namespace #765
A comment in our old bug tracker alerted me of this issue: in the media manager ACLs are broken for all views for individual files if you have access to the root namespace or - in the case of the media diff ajax call - an arbitrary namespace.
I have reproduced this issue in my local DokuWiki installation, I can simply open an image I have no permission for in the media manager, I get a permission denied message in the media details tab and when I click on the detail tabs they load via ajax with the real content. The media diff ajax call is a bit more difficult to test as the ns parameter (but only that one) is a post parameter, but after changing the code to accept a get parameter as well I can clearly see that it uses the ns parameter for the permission check (and nothing else).
No actual file content is exposed, just the metadata, but the metadata can contain a lot of information (title, caption etc. from the exif metadata) and the full history is displayed, too. This also requires knowing the actual media file id.
So far I can see the following problems in the code:
I think a first fix could be to ignore the ns parameter in all ajax calls and instead set it based on the supplied image id.
I think we should fix this and release a hotfix release ASAP.
The text was updated successfully, but these errors were encountered:
I noticed this same issue with media manager & acl just today, but from the other way around. When a user has full access to a namespace but no access to the parent namespace. The media manager shows the images but gives a denied access message when viewing details.
Was the $NS global 'rationalised' recently?
A side question - how can you check the user's permissions to a namespace? medialist plugin does a quick_aclcheck() using the namespace, but gets the actual permissions for the page (named as namespace) in the parent namespace.
* stable: (474 commits) hotfix release for #765 Quick fix for #765 - ACL checks in the media manager ajax calls Use git attributes to exclude some files from exported archives Release 2014-05-05 "Ponder Stibbons" Release preparation no fancy quotes in user manager import description add defaults to phpdocs of search universal update deprecation stuff for dw_qearch translation update translation update translation update added another test for arrays fixed some test inheriting from the wrong parent use new $INPUT->valid() method in feed.php add new valid() method to $INPUT #667 some updates on phpunit docs and settings Fix https proxy authentication, the header was missing a colon so that the auth info was not working. translation update translation update translation update ...