search

orionjs / orioncms

[Old] Orion is an open source framework built on Meteor that makes complex as well as simple apps possible with minimal effort.
http://orionjs.org
MIT License
715 stars 129 forks source link

fix permissions on filesystem #371

Open macrozone opened 8 years ago

macrozone commented 8 years ago

The allow/deny-rules on the filesystem collection does allow everyone to insert/update/delete files in the current version

As a first step, we should only allow admins to CRUD on filesystem.

Later, we should allow admins or at least developers to define themself which roles are allowed to CRUD on filesystem.

See https://github.com/orionjs/orion/blob/master/packages/filesystem/filesystem.js

Ajaxsoap commented 8 years ago

Hi @nicolaslopezj ,

I'm using Orion 1.8.0, before the upgrade to 1.8, all the users can upload a file but when I upgrade to 1.8 only the admin can upload a file.

So, I register a role":

Roles.registerAction( 'upload', true );

HQ.allow( 'upload', true );
Branch.allow( 'upload', true );
insurer.allow( 'upload', true );

on my template:

{{#if userHasPermission 'upload'}}
  {{> afQuickField name="file" }}
 {{/if}}

but the problem is, the action has no effect at all, I have the error on the browser console:

Uncaught Error: The user has no permission to perform this action [unauthorized]

What should be the approach on the filesystem permission?

NOTE: I'm using nicolaslopezj:roles@2.0.2 because every time I upgrade the roles, it throws an error on insert and update.

nicolaslopezj commented 8 years ago

Hi,

The action name is filesystem.upload and you don't have to register it. So you need to change your code to:

HQ.allow('filesystem.upload', true);
Branch.allow('filesystem.upload', true);
insurer.allow('filesystem.upload', true);
{{#if userHasPermission 'filesystem.upload'}}
  {{> afQuickField name="file" }}
{{/if}}
Ajaxsoap commented 8 years ago

Ok got it. Thanks @nicolaslopezj !