[dokuwiki] Re: Betr.: Patch Attached: Optionally prevent unknown internet users to browsethe full media file tree with mediamanager

I'm open for ideas.
Andi
I'm not sure if this is what you want. But in toolbar.php, you could check for edit permission, which will be there only if the user/visitor can edit that page. Then just before you create the JSON string for your javascript, you can splice out the media manager from the toolbar array, if the user/visitor doesn't have edit permission:

if(!$INFO['editable'])
array_splice($menu, 15, 1);
}


Thanks Myron, but no. If the user gets the edit toolbar they can fire up the mediamanager, that is ok. The issue is if the user doesn't have edit permission - they can access the mediamanager by typing in the URL for it.

I think the fix is to do an acl check to see if the user has edit access for the requested namespace - a correct mediamanager url includes a namespace parameter. If the mediamanager is triggered by clicking the toolbar button its certain (odd race conditions aside) they will have edit access so they will get the mediamanager.

If the user is trying to access the mediamanager using a directly entered url, then if they don't have edit access to the requested namespace, the mediamanager won't appear - and probably a 403 error code will be returned.

Once the mediamanager has appeared, there won't be any change in the images the user will see. They will be controlled by ACL read access as now.

I fixed this for my companies page with a general ACL check for editing rights - I think that this, combined with a config option will be ok. If no rights are given, I tell the user (see http://www.inetsoftware.de/lib/exe/mediamanager.php) . The switch for displaying the page or the message could be done in the core, so the templaters won't have to care.
I like the 403 idea too.

Gerry.
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist

Other related posts: