Take folder permissions into account when using assets in the Preside Admin
It is possible to deny or grant access to Asset folders in the Preside admin for user groups. This works fine in the Asset Manager UI itself.
However if using assets anywhere else in the admin, those folder permissions seem to not be evaluated.
This means that even though a user group might not have access to a folder in the Asset Manager (in fact not even being able to see that folder), this folder still shows up when searching for assets / attachments in the rich editor as well as if using the asset picker form control anywhere. The user is able to pick and use any of the available assets/docs/images.
For example an easy workaround (aka hack) for a user that does not have access to documents in a folder would be to just create a simple page in the site tree, add a link in the rich editor to that document in there and then use that link to download it.
It would be highly appreciated if the permissions would be evaluated in all places in the backend where assets can be used.
This have been merged to release-10.9.0
PR created for this:
Have added asset folder permission checking on areas outside of Asset manager
1) Asset picker's dropdown
asset picker's browser folder
asset picker upload new asset, folder selection
2) Rich editor
3) asset manager's search
Just to add to this: I think that the full text search in the asset manager is also affected.