fileupload ACL not working on onAjax_download()

Fabrik / fabrik

Fabrik for Joomla 3.x

http://fabrikar.com

Other

254 stars 380 forks source link

fileupload ACL not working on onAjax_download() #2180

Open ariouche opened 5 years ago

ariouche commented 5 years ago

$this->canView() line 3361 doesn't seem to be working

In addition, if (empty($row)) line 3377 always returns false even of the object is empty so I suggest to cast it to array in order to validate the test: if (empty((array)$row))

ariouche commented 3 years ago

Hello guys. Any news on this issue?

cheesegrits commented 3 years ago

The canView() seems to be working OK for me:

https://www.screencast.com/t/K3ojYlpmY

I've changed that empty() test to cast to array as per your suggestion.

https://github.com/Fabrik/fabrik/commit/1cc334d400bad33b3af96158800cf5c93ba2dfd9

ariouche commented 3 years ago

Great I've also found that when a user isn't allowed to download a file, he can do it directly using the Ajax url

index.php?option=com_fabrik&task=plugin.pluginAjax&plugin=fileupload&method=ajax_download&format=raw&element_id=4088&formid=182&rowid=1&repeatcount=0&ajaxIndex=

ariouche commented 3 years ago

Hello guys. Any news on this issue?