Commit eb5d7d2a authored by Steven Wittens's avatar Steven Wittens
Browse files

Fixed bad permissions in upload.module:

- Admin - upload only shows up for 'access administration section' perms
- Users without 'upload files' perm do not see the attachments form (and cannot attach even when sending their own http request)

Note: if a user can edit a node, but not 'upload files', then the attachments are left untouched (and cannot be changed).
parent db548f75
...@@ -34,7 +34,7 @@ function upload_menu() { ...@@ -34,7 +34,7 @@ function upload_menu() {
$items[] = array( $items[] = array(
'path' => 'admin/upload', 'title' => t('uploads'), 'path' => 'admin/upload', 'title' => t('uploads'),
'callback' => 'upload_admin', 'callback' => 'upload_admin',
'access' => true, 'access' => user_access('access administration pages'),
'type' => MENU_NORMAL_ITEM 'type' => MENU_NORMAL_ITEM
); );
return $items; return $items;
...@@ -86,7 +86,7 @@ function upload_nodeapi(&$node, $op, $arg) { ...@@ -86,7 +86,7 @@ function upload_nodeapi(&$node, $op, $arg) {
$output[t('attachments')] = form_checkbox(NULL, "upload_$node->type", 1, variable_get("upload_$node->type", 1)); $output[t('attachments')] = form_checkbox(NULL, "upload_$node->type", 1, variable_get("upload_$node->type", 1));
break; break;
case 'form param': case 'form param':
if (variable_get("upload_$node->type", 1)) { if (variable_get("upload_$node->type", 1) && user_access('upload files')) {
$output['options'] = array('enctype' => 'multipart/form-data'); $output['options'] = array('enctype' => 'multipart/form-data');
} }
break; break;
...@@ -111,8 +111,8 @@ function upload_nodeapi(&$node, $op, $arg) { ...@@ -111,8 +111,8 @@ function upload_nodeapi(&$node, $op, $arg) {
$node->list[$key] = $file->list; $node->list[$key] = $file->list;
} }
} }
if ($file = file_check_upload('upload')) { if (($file = file_check_upload('upload')) && user_access('upload files')) {
global $user; global $user;
$max_size = variable_get("upload_maxsize_total", 0); $max_size = variable_get("upload_maxsize_total", 0);
...@@ -146,14 +146,14 @@ function upload_nodeapi(&$node, $op, $arg) { ...@@ -146,14 +146,14 @@ function upload_nodeapi(&$node, $op, $arg) {
$error['usersize']++; $error['usersize']++;
} }
} }
if ($error['extension'] == count($user->roles)) { if ($error['extension'] == count($user->roles) && $user->uid != 1) {
form_set_error('upload', t('Error attaching file %name: invalid extension', array('%name' => "<em>$file->filename</em>"))); form_set_error('upload', t('Error attaching file %name: invalid extension', array('%name' => "<em>$file->filename</em>")));
} }
elseif ($error['uploadsize'] == count($user->roles)) { elseif ($error['uploadsize'] == count($user->roles) && $user->uid != 1) {
form_set_error('upload', t('Error attaching file %name: exceeds maximum file size', array('%name' => "<em>$file->filename</em>"))); form_set_error('upload', t('Error attaching file %name: exceeds maximum file size', array('%name' => "<em>$file->filename</em>")));
} }
elseif ($error['usersize'] == count($user->roles)) { elseif ($error['usersize'] == count($user->roles) && $user->uid != 1) {
form_set_error('upload', t('Error attaching file %name: exceeds maximum file size', array('%name' => "<em>$file->filename</em>"))); form_set_error('upload', t('Error attaching file %name: exceeds maximum file size', array('%name' => "<em>$file->filename</em>")));
} }
else { else {
...@@ -166,12 +166,12 @@ function upload_nodeapi(&$node, $op, $arg) { ...@@ -166,12 +166,12 @@ function upload_nodeapi(&$node, $op, $arg) {
} }
break; break;
case 'form post': case 'form post':
if (variable_get("upload_$node->type", 1) == 1) { if (variable_get("upload_$node->type", 1) == 1 && user_access('upload files')) {
$output = upload_form($node); $output = upload_form($node);
} }
break; break;
case 'load': case 'load':
if (variable_get("upload_$node->type", 1) == 1) { if (variable_get("upload_$node->type", 1) == 1 && user_access('upload files')) {
$output->files = upload_load($node); $output->files = upload_load($node);
} }
break; break;
...@@ -219,7 +219,9 @@ function upload_nodeapi(&$node, $op, $arg) { ...@@ -219,7 +219,9 @@ function upload_nodeapi(&$node, $op, $arg) {
break; break;
case 'insert': case 'insert':
case 'update': case 'update':
upload_save($node); if (user_access('upload files')) {
upload_save($node);
}
break; break;
case 'delete': case 'delete':
upload_delete($node); upload_delete($node);
...@@ -293,8 +295,10 @@ function upload_form($node) { ...@@ -293,8 +295,10 @@ function upload_form($node) {
if (count($node->files)) { if (count($node->files)) {
$output = form_item('', theme('table', $header, $rows), t('Note: changes made to the attachments are not permanent until you save this post.')); $output = form_item('', theme('table', $header, $rows), t('Note: changes made to the attachments are not permanent until you save this post.'));
} }
$output .= form_file(t('Attach new file'), "upload", 40); if (user_access('upload files')) {
$output .= form_button(t('Attach'), 'fileop'); $output .= form_file(t('Attach new file'), "upload", 40);
$output .= form_button(t('Attach'), 'fileop');
}
return '<div class="attachments">'. form_group(t('Attachments'), $output) . '</div>'; return '<div class="attachments">'. form_group(t('Attachments'), $output) . '</div>';
} }
......
...@@ -34,7 +34,7 @@ function upload_menu() { ...@@ -34,7 +34,7 @@ function upload_menu() {
$items[] = array( $items[] = array(
'path' => 'admin/upload', 'title' => t('uploads'), 'path' => 'admin/upload', 'title' => t('uploads'),
'callback' => 'upload_admin', 'callback' => 'upload_admin',
'access' => true, 'access' => user_access('access administration pages'),
'type' => MENU_NORMAL_ITEM 'type' => MENU_NORMAL_ITEM
); );
return $items; return $items;
...@@ -86,7 +86,7 @@ function upload_nodeapi(&$node, $op, $arg) { ...@@ -86,7 +86,7 @@ function upload_nodeapi(&$node, $op, $arg) {
$output[t('attachments')] = form_checkbox(NULL, "upload_$node->type", 1, variable_get("upload_$node->type", 1)); $output[t('attachments')] = form_checkbox(NULL, "upload_$node->type", 1, variable_get("upload_$node->type", 1));
break; break;
case 'form param': case 'form param':
if (variable_get("upload_$node->type", 1)) { if (variable_get("upload_$node->type", 1) && user_access('upload files')) {
$output['options'] = array('enctype' => 'multipart/form-data'); $output['options'] = array('enctype' => 'multipart/form-data');
} }
break; break;
...@@ -111,8 +111,8 @@ function upload_nodeapi(&$node, $op, $arg) { ...@@ -111,8 +111,8 @@ function upload_nodeapi(&$node, $op, $arg) {
$node->list[$key] = $file->list; $node->list[$key] = $file->list;
} }
} }
if ($file = file_check_upload('upload')) { if (($file = file_check_upload('upload')) && user_access('upload files')) {
global $user; global $user;
$max_size = variable_get("upload_maxsize_total", 0); $max_size = variable_get("upload_maxsize_total", 0);
...@@ -146,14 +146,14 @@ function upload_nodeapi(&$node, $op, $arg) { ...@@ -146,14 +146,14 @@ function upload_nodeapi(&$node, $op, $arg) {
$error['usersize']++; $error['usersize']++;
} }
} }
if ($error['extension'] == count($user->roles)) { if ($error['extension'] == count($user->roles) && $user->uid != 1) {
form_set_error('upload', t('Error attaching file %name: invalid extension', array('%name' => "<em>$file->filename</em>"))); form_set_error('upload', t('Error attaching file %name: invalid extension', array('%name' => "<em>$file->filename</em>")));
} }
elseif ($error['uploadsize'] == count($user->roles)) { elseif ($error['uploadsize'] == count($user->roles) && $user->uid != 1) {
form_set_error('upload', t('Error attaching file %name: exceeds maximum file size', array('%name' => "<em>$file->filename</em>"))); form_set_error('upload', t('Error attaching file %name: exceeds maximum file size', array('%name' => "<em>$file->filename</em>")));
} }
elseif ($error['usersize'] == count($user->roles)) { elseif ($error['usersize'] == count($user->roles) && $user->uid != 1) {
form_set_error('upload', t('Error attaching file %name: exceeds maximum file size', array('%name' => "<em>$file->filename</em>"))); form_set_error('upload', t('Error attaching file %name: exceeds maximum file size', array('%name' => "<em>$file->filename</em>")));
} }
else { else {
...@@ -166,12 +166,12 @@ function upload_nodeapi(&$node, $op, $arg) { ...@@ -166,12 +166,12 @@ function upload_nodeapi(&$node, $op, $arg) {
} }
break; break;
case 'form post': case 'form post':
if (variable_get("upload_$node->type", 1) == 1) { if (variable_get("upload_$node->type", 1) == 1 && user_access('upload files')) {
$output = upload_form($node); $output = upload_form($node);
} }
break; break;
case 'load': case 'load':
if (variable_get("upload_$node->type", 1) == 1) { if (variable_get("upload_$node->type", 1) == 1 && user_access('upload files')) {
$output->files = upload_load($node); $output->files = upload_load($node);
} }
break; break;
...@@ -219,7 +219,9 @@ function upload_nodeapi(&$node, $op, $arg) { ...@@ -219,7 +219,9 @@ function upload_nodeapi(&$node, $op, $arg) {
break; break;
case 'insert': case 'insert':
case 'update': case 'update':
upload_save($node); if (user_access('upload files')) {
upload_save($node);
}
break; break;
case 'delete': case 'delete':
upload_delete($node); upload_delete($node);
...@@ -293,8 +295,10 @@ function upload_form($node) { ...@@ -293,8 +295,10 @@ function upload_form($node) {
if (count($node->files)) { if (count($node->files)) {
$output = form_item('', theme('table', $header, $rows), t('Note: changes made to the attachments are not permanent until you save this post.')); $output = form_item('', theme('table', $header, $rows), t('Note: changes made to the attachments are not permanent until you save this post.'));
} }
$output .= form_file(t('Attach new file'), "upload", 40); if (user_access('upload files')) {
$output .= form_button(t('Attach'), 'fileop'); $output .= form_file(t('Attach new file'), "upload", 40);
$output .= form_button(t('Attach'), 'fileop');
}
return '<div class="attachments">'. form_group(t('Attachments'), $output) . '</div>'; return '<div class="attachments">'. form_group(t('Attachments'), $output) . '</div>';
} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment