Fix missing perm checks for a "standard user" in MediaLibrary

We still have the issue that we have set authorID 0 as the standard authorid in ML. This prevents us being more strict than this. We will have to re-think this, maybe... References #385
2016-02-03 15:47:04 +01:00 · 2016-02-03 15:47:04 +01:00 · 227d115d71
commit 227d115d71
parent 3fe8959d00
4 changed files with 17 additions and 12 deletions
--- a/docs/NEWS
+++ b/docs/NEWS
@ -1,6 +1,8 @@
 Version 2.1 ()
 ------------------------------------------------------------------------

+    * Fix missing perm checks for "standard user" in MediaLibrary
+
    * Fix show Dashboard entries by authors entries

    * Fix show Dashboard comments by authors entries (#385)
--- a/include/admin/images.inc.php
+++ b/include/admin/images.inc.php
@ -120,7 +120,7 @@ switch ($serendipity['GET']['adminAction']) {
        break;

    case 'multidelete':
-        if (!serendipity_checkFormToken()) {
+        if (!serendipity_checkFormToken() || !serendipity_checkPermission('adminImagesDirectories')) {
            return; // blank content page, but default token check parameter is presenting a XSRF message when false
        }
        if (!is_array($serendipity['POST']['multiDelete']) && isset($_POST['toggle_move'])) {
@ -635,7 +635,8 @@ switch ($serendipity['GET']['adminAction']) {
            'maxImgHeight'      => $serendipity['maxImgHeight'],
            'maxImgWidth'       => $serendipity['maxImgWidth'],
            'extraParems'       => serendipity_generateImageSelectorParems(),
-            'manage'            => isset($serendipity['GET']['showMediaToolbar']) ? serendipity_db_bool($serendipity['GET']['showMediaToolbar']) : true
+            'manage'            => isset($serendipity['GET']['showMediaToolbar']) ? serendipity_db_bool($serendipity['GET']['showMediaToolbar']) : true,
+            'multiperm'         => serendipity_checkPermission('adminImagesDirectories')
        );
        // ToDo later: merge $data and $media
        $serendipity['smarty']->assign('media', $mediaFiles);
--- a/templates/2k11/admin/media_items.tpl
+++ b/templates/2k11/admin/media_items.tpl
@ -60,9 +60,9 @@
        {$link="?serendipity[adminModule]=images&amp;serendipity[adminAction]=choose&amp;serendipity[noBanner]=true&amp;serendipity[noSidebar]=true&amp;serendipity[noFooter]=true&amp;serendipity[fid]={$file.id}&amp;serendipity[filename_only]={$media.filename_only}&amp;serendipity[textarea]={$media.textarea}&amp;serendipity[htmltarget]={$media.htmltarget}"}
    {/if}

-            <article id="media_{$file.id}" class="media_file {if $media.manage}manage {/if}{cycle values="odd,even"}">
+            <article id="media_{$file.id}" class="media_file {if $media.manage AND $media.multiperm}manage {/if}{cycle values="odd,even"}">
                <header class="clearfix">
-                    {if $media.manage}
+                    {if $media.manage AND $media.multiperm}

                    <div class="form_check">
                        <input id="multidelete_image{$file.id}" class="multidelete" name="serendipity[multiDelete][]" type="checkbox" value="{$file.id}" data-multidelid="media_{$file.id}">
@ -77,7 +77,7 @@

                <div class="clearfix equal_heights media_file_wrap">
                    <div class="media_file_preview">
-                        <a {if $media.manage}class="media_fullsize"{/if} href="{$link}" title="{$CONST.MEDIA_FULLSIZE}: {$file.realname}" data-pwidth="{$file.popupWidth}" data-pheight="{$file.popupHeight}">
+                        <a {if $media.manage AND $media.multiperm}class="media_fullsize"{/if} href="{$link}" title="{$CONST.MEDIA_FULLSIZE}: {$file.realname}" data-pwidth="{$file.popupWidth}" data-pheight="{$file.popupHeight}">
                            <img src="{$img_src}" title="{$img_title}" alt="{$img_alt}">
                        </a>
                        <footer id="media_file_meta_{$file.id}" class="media_file_meta additional_info">
@ -116,24 +116,26 @@
                {if $file.is_editable}

                    <li><button class="media_rename button_link" type="button" title="{$CONST.MEDIA_RENAME}" data-fileid="{$file.id}" data-filename="{$file.name|escape:javascript}"><span class="icon-edit"></span><span class="visuallyhidden"> {$CONST.MEDIA_RENAME}</span></button></li>
-                    {if $file.is_image AND NOT $file.hotlink}
+                    {if $file.is_image AND NOT $file.hotlink AND $media.multiperm}

                    <li><a class="media_resize button_link" href="?serendipity[adminModule]=images&amp;serendipity[adminAction]=scaleSelect&amp;serendipity[fname]={$file.name|truncate:30:"&hellip;"}&amp;serendipity[fid]={$file.id}&amp;{$media.extraParems}" title="{$CONST.IMAGE_RESIZE}"><span class="icon-resize-full"></span><span class="visuallyhidden"> {$CONST.IMAGE_RESIZE}</span></a></li>
                    {/if}
-                    {if $file.is_image AND NOT $file.hotlink}
+                    {if $file.is_image AND NOT $file.hotlink AND $media.multiperm}

                    <li><a class="media_rotate_left button_link" href="?serendipity[adminModule]=images&amp;serendipity[adminAction]=rotateCCW&amp;serendipity[fid]={$file.id}" title="{$CONST.IMAGE_ROTATE_LEFT}"><span class="icon-ccw"></span><span class="visuallyhidden"> {$CONST.IMAGE_ROTATE_LEFT}</span></a></li>
                    {/if}
-                    {if $file.is_image AND NOT $file.hotlink}
+                    {if $file.is_image AND NOT $file.hotlink AND $media.multiperm}

                    <li><a class="media_rotate_right button_link" href="?serendipity[adminModule]=images&amp;serendipity[adminAction]=rotateCW&amp;serendipity[fid]={$file.id}" title="{$CONST.IMAGE_ROTATE_RIGHT}"><span class="icon-cw"></span><span class="visuallyhidden">{$CONST.IMAGE_ROTATE_RIGHT}</span></a></li>
                    {/if}
-                    {if $media.manage}
+                    {if $media.manage AND $media.multiperm}

                    <li><a class="media_prop button_link" href="?serendipity[adminModule]=images&amp;serendipity[adminAction]=properties&amp;serendipity[fid]={$file.id}" title="{$CONST.MEDIA_PROP}"><span class="icon-picture"></span><span class="visuallyhidden"> {$CONST.MEDIA_PROP}</span></a></li>
                    {/if}
+                    {if $is_author_file || $perms.delete}

                    <li><a class="media_delete button_link" href="?serendipity[adminModule]=images&amp;serendipity[adminAction]=delete&amp;serendipity[fid]={$file.id}" title="{$CONST.MEDIA_DELETE}" data-fileid="{$file.id}" data-filename="{$file.name|escape:javascript}"><span class="icon-trash"></span><span class="visuallyhidden"> {$CONST.MEDIA_DELETE}</span></a></li>
+                    {/if}
                {/if}

                </ul>
--- a/templates/2k11/admin/media_pane.tpl
+++ b/templates/2k11/admin/media_pane.tpl
@ -237,7 +237,7 @@

    <span class="msg_notice"><span class="icon-info-circled"></span> {$CONST.NO_IMAGES_FOUND}</span>
 {else}
-    {if $media.manage}
+    {if $media.manage AND $media.multiperm}

    <form id="formMultiDelete" name="formMultiDelete" action="?" method="post">
        {$media.token}
@ -249,7 +249,7 @@
        <div class="clearfix media_pane" data-thumbmaxwidth="{$media.thumbSize}">
            {$MEDIA_ITEMS}

-        {if ($media.page != 1 && $media.page <= $media.pages)||$media.page != $media.pages}
+        {if ($media.page != 1 AND $media.page <= $media.pages) OR $media.page != $media.pages}

            <nav class="pagination">
                <h3>{$CONST.PAGE_BROWSE_ENTRIES|sprintf:$media.page:$media.pages:$media.totalImages}</h3>
@ -266,7 +266,7 @@

        </div>{* media pane end *}

-    {if $media.manage}
+    {if $media.manage AND $media.multiperm}

        <div class="form_buttons">
            <input class="invert_selection" name="toggle" type="button" value="{$CONST.INVERT_SELECTIONS}">