search

requarks / wiki-v1

Legacy version (1.x) of Wiki.js
https://wiki.js.org
GNU Affero General Public License v3.0
100 stars 75 forks source link

File Manager access permission #136

Open pqangel opened 5 years ago

pqangel commented 5 years ago

Actual behavior

Permissions on file manager are not applied. Users without access to a certain path can see, upload and attach images, files and videos from paths they shouldn't have access to.

Expected behavior

Permissions applied on the user profile should also be applied to the file manager

Steps to reproduce the behavior

Create a user apply deny permissions to read/write on a certain folder Try to upload a file on the file manager. You will see and be able to upload and use uploaded files without restriction.

tiagorvmartins commented 5 years ago

Hello there @pqangel, can I assign this issue to me? thanks.

pqangel commented 5 years ago

Of course, thank you @tiagorvmartins

tiagorvmartins commented 5 years ago

Hi @pqangel quick question: I notice that the file uploader is managed by WebSockets on file ws.js, my question is, where are the responses of those callbacks (cb) handled in the code? in order to provide error popups in case of user doesn't have the required permissions for uploading a file on a specific path and so on.

I already managed to check the required permissions for the operation using the socket.request variable, I just need to understand where are these responses handled.

Thanks!

EDIT: I notice that you are using the SimpleMDE but can't find any handler for the responses of the actions neither the instantiation of this SimpleMDE plugin, only a reference on package.json, thanks! Using version 1.0.102, I am sure I am missing something.

tiagorvmartins commented 5 years ago

Hello @pqangel just to let you know that I opened a pull request related with this development, it's here https://github.com/Requarks/wiki/pull/708 Thanks!