Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
ACL checks in the media file details ajax calls only for root/arbitrary namespace #765
A comment in our old bug tracker alerted me of this issue: in the media manager ACLs are broken for all views for individual files if you have access to the root namespace or - in the case of the media diff ajax call - an arbitrary namespace.
I have reproduced this issue in my local DokuWiki installation, I can simply open an image I have no permission for in the media manager, I get a permission denied message in the media details tab and when I click on the detail tabs they load via ajax with the real content. The media diff ajax call is a bit more difficult to test as the ns parameter (but only that one) is a post parameter, but after changing the code to accept a get parameter as well I can clearly see that it uses the ns parameter for the permission check (and nothing else).
No actual file content is exposed, just the metadata, but the metadata can contain a lot of information (title, caption etc. from the exif metadata) and the full history is displayed, too. This also requires knowing the actual media file id.
So far I can see the following problems in the code:
I think a first fix could be to ignore the ns parameter in all ajax calls and instead set it based on the supplied image id.
I think we should fix this and release a hotfix release ASAP.
I noticed this same issue with media manager & acl just today, but from the other way around. When a user has full access to a namespace but no access to the parent namespace. The media manager shows the images but gives a denied access message when viewing details.
Was the $NS global 'rationalised' recently?
A side question - how can you check the user's permissions to a namespace? medialist plugin does a quick_aclcheck() using the namespace, but gets the actual permissions for the page (named as namespace) in the parent namespace.
* stable: (474 commits) hotfix release for #765 Quick fix for #765 - ACL checks in the media manager ajax calls Use git attributes to exclude some files from exported archives Release 2014-05-05 "Ponder Stibbons" Release preparation no fancy quotes in user manager import description add defaults to phpdocs of search universal update deprecation stuff for dw_qearch translation update translation update translation update added another test for arrays fixed some test inheriting from the wrong parent use new $INPUT->valid() method in feed.php add new valid() method to $INPUT #667 some updates on phpunit docs and settings Fix https proxy authentication, the header was missing a colon so that the auth info was not working. translation update translation update translation update ...