Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
ACL checks in the media file details ajax calls only for root/arbitrary namespace #765
A comment in our old bug tracker alerted me of this issue: in the media manager ACLs are broken for all views for individual files if you have access to the root namespace or - in the case of the media diff ajax call - an arbitrary namespace.
I have reproduced this issue in my local DokuWiki installation, I can simply open an image I have no permission for in the media manager, I get a permission denied message in the media details tab and when I click on the detail tabs they load via ajax with the real content. The media diff ajax call is a bit more difficult to test as the ns parameter (but only that one) is a post parameter, but after changing the code to accept a get parameter as well I can clearly see that it uses the ns parameter for the permission check (and nothing else).
No actual file content is exposed, just the metadata, but the metadata can contain a lot of information (title, caption etc. from the exif metadata) and the full history is displayed, too. This also requires knowing the actual media file id.
So far I can see the following problems in the code:
I think a first fix could be to ignore the ns parameter in all ajax calls and instead set it based on the supplied image id.
I think we should fix this and release a hotfix release ASAP.
I noticed this same issue with media manager & acl just today, but from the other way around. When a user has full access to a namespace but no access to the parent namespace. The media manager shows the images but gives a denied access message when viewing details.
Was the $NS global 'rationalised' recently?
A side question - how can you check the user's permissions to a namespace? medialist plugin does a quick_aclcheck() using the namespace, but gets the actual permissions for the page (named as namespace) in the parent namespace.