Backoffice users can upload media through RTE outside assigned root folder by default

[D-Inventor]

Which Umbraco version are you using? (Please write the exact version, example: 10.1.0)

13.5.1

Bug summary

When using the drag-and-drop image upload feature in RTE and no explicit upload folder is configured, users are able to upload media to the media root, even when they don't have access to the media root.

Specifics

This happens in the backoffice with users with restricted access to media.

Steps to reproduce

1. Create a fresh Umbraco 13.5.1 install
2. Create a document type and add a property with the RTE that comes out-of-the-box
3. Create a page at the root of the content tree and save & publish
4. Create a folder in the media section
5. Create a new backoffice user, assign the editor role and assign a media start node to the user with the folder that was created in step 4
6. Log out as admin and log back in as the new user
7. Go to the page created in step 3
8. Notice: if you click on the "add image" button, you're only able to upload and select images from the assigned media start node, as expected
9. Notice: if you drag-and-drop an image into the RTE and save & publish, you can upload images to the media root. Not as expected!

Expected result / actual result

I expect, when no explicit upload folder is configured for an RTE, that copy/pasted images in the RTE upload to a folder that the user has access to.

Instead, media is uploaded to the media root, even though the users are not supposed to have access to the media root.

[github-actions[bot]]

Hi there @D-Inventor!

Firstly, a big thank you for raising this issue. Every piece of feedback we receive helps us to make Umbraco better.

We really appreciate your patience while we wait for our team to have a look at this but we wanted to let you know that we see this and share with you the plan for what comes next.

• We'll assess whether this issue relates to something that has already been fixed in a later version of the release that it has been raised for.
• If it's a bug, is it related to a release that we are actively supporting or is it related to a release that's in the end-of-life or security-only phase?
• We'll replicate the issue to ensure that the problem is as described.
• We'll decide whether the behavior is an issue or if the behavior is intended.

We wish we could work with everyone directly and assess your issue immediately but we're in the fortunate position of having lots of contributions to work with and only a few humans who are able to do it. We are making progress though and in the meantime, we will keep you in the loop and let you know when we have any questions.

Thanks, from your friendly Umbraco GitHub bot :robot: :slightly_smiling_face:

[NguyenThuyLan]

This issue does not happen on v14 and v15, but still be able to reproduce on v13.5.2