[dokuwiki] Re: Betr.: Patch Attached: Optionally prevent unknown internet users to browsethe full media file tree with mediamanager

Andreas Gohr wrote:
Rather than an "openmediamanager" setting, I think the mediamanager should
only be accessible to visitors with "edit" access, that I believe would
match actual behaviour to reasonable expectation of what the behaviour
should be.  Ie. If the "proper" access to mediamanager (via toolbar button)
is prevented by read only access then actual access should attempt to mirror
that.

Okay it took me a while to grasp the problem :-) This is something
like the dir listing option in webservers. Not exactly a security
problem but it's a good idea to switch it off anyway.

Now, the problem is there is no such thing as 'visitors with "edit"
access' because edit permissions may be given to selected parts of the
wiki. The question is do they have edit access *anywhere*. Checking
this info isn't easily done with the current ACL functions which will
only check a users' permissions on a given namespace...

I'm open for ideas.

Andi

I'm not sure if this is what you want. But in toolbar.php, you could check for edit permission, which will be there only if the user/visitor can edit that page. Then just before you create the JSON string for your javascript, you can splice out the media manager from the toolbar array, if the user/visitor doesn't have edit permission:

if(!$INFO['editable'])
  array_splice($menu, 15, 1);
}


--

_____________________
Myron Turner
http://www.mturner.org
http://net18reaching.org/cityscapes



--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist

Other related posts: