attachment permissions

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

attachment permissions

sean_ellis
Hello,
I've installed MojoMojo-0.999041 from cpan

I created a new user via the registration, not an admin. I can limit the new user's privileges to only editing his home page, but so far, no matter what I've tried, he is still able to upload attachments to the root page. According to what I see in the path_permissions table (only view_allowed) this should not be the case.

suggestions welcome, thanks, and thanks for the software, it's pretty cool

Sean

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: attachment permissions

sean_ellis
sean_ellis wrote
I've installed MojoMojo-0.999041 from cpan

I created a new user via the registration, not an admin. I can limit the new user's privileges to only editing his home page, but so far, no matter what I've tried, he is still able to upload attachments to the root page. According to what I see in the path_permissions table (only view_allowed) this should not be the case.
HI

responding to my own post:

after digging around I've come to the conclusion that the behaviour that I described above may be the default, and intentional

I've managed to get what I wanted by wrapping the uploader display code in  attachments.tt with a check for attachment privileges which seems to be working, so I'm happy

Sean
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: attachment permissions

Marcus Ramberg
Uhm, I do not believe this is intentional behaviour. I'd accept a
patch to make edit permissions be required for uploading attachments,
provided it includes tests.

With regards
Marcus Ramberg



On Tue, Nov 24, 2009 at 5:50 AM, sean_ellis <[hidden email]> wrote:

>
>
> sean_ellis wrote:
>>
>> I've installed MojoMojo-0.999041 from cpan
>>
>> I created a new user via the registration, not an admin. I can limit the
>> new user's privileges to only editing his home page, but so far, no matter
>> what I've tried, he is still able to upload attachments to the root page.
>> According to what I see in the path_permissions table (only view_allowed)
>> this should not be the case.
>>
> HI
>
> responding to my own post:
>
> after digging around I've come to the conclusion that the behaviour that I
> described above may be the default, and intentional
>
> I've managed to get what I wanted by wrapping the uploader display code in
> attachments.tt with a check for attachment privileges which seems to be
> working, so I'm happy
>
> Sean
>
> --
> View this message in context: http://n2.nabble.com/attachment-permissions-tp4048482p4055858.html
> Sent from the mojomojo mailing list archive at Nabble.com.
>
> _______________________________________________
> Mojomojo mailing list
> [hidden email]
> http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/mojomojo
>

_______________________________________________
Mojomojo mailing list
[hidden email]
http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/mojomojo
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: attachment permissions

sean_ellis
Marcus Ramberg wrote
Uhm, I do not believe this is intentional behaviour. I'd accept a
patch to make edit permissions be required for uploading attachments,
provided it includes tests.
Ok, it hadn't seemed right. Delete attachment and insert was supressed but a functioning upload button was still there.

I mimicked some if the code from root/base/attachments/list.tt , that seems to work for me so far. Perhaps header.tt would be edited to remove reference to the swf javascript files on pages like this? and .. ?

I'm not sure what you meant above by 'tests'. I'll do it if I'm able. Meanwhile I'll attach a diff to show what I did,

thanks

Seanattach_perms_check 
Loading...