Take folder permissions into account when using assets in the Preside Admin

Description

It is possible to deny or grant access to Asset folders in the Preside admin for user groups. This works fine in the Asset Manager UI itself.
However if using assets anywhere else in the admin, those folder permissions seem to not be evaluated.
This means that even though a user group might not have access to a folder in the Asset Manager (in fact not even being able to see that folder), this folder still shows up when searching for assets / attachments in the rich editor as well as if using the asset picker form control anywhere. The user is able to pick and use any of the available assets/docs/images.

For example an easy workaround (aka hack) for a user that does not have access to documents in a folder would be to just create a simple page in the site tree, add a link in the rich editor to that document in there and then use that link to download it.

It would be highly appreciated if the permissions would be evaluated in all places in the backend where assets can be used.

Environment

None

Activity

Show:
Nelson Chuah
April 26, 2018, 1:46 AM

This have been merged to release-10.9.0

Nelson Chuah
April 25, 2018, 7:10 AM

Hi Dom,

PR created for this:
https://github.com/pixl8/Preside-CMS/pull/469

Have added asset folder permission checking on areas outside of Asset manager
Tested on:
1) Asset picker's dropdown

  • asset picker's browser folder

  • asset picker upload new asset, folder selection

2) Rich editor

  • attachment picker

  • image picker

3) asset manager's search

Thank you
Nelson

Jan Jannek
April 17, 2018, 3:02 PM

Just to add to this: I think that the full text search in the asset manager is also affected.

Fixed

Assignee

Nelson Chuah

Reporter

Jan Jannek

Accepted

Yes