Denied asset download in admin possible under specific circumstances

Description

This is a follow-up issue of PRESIDECMS-1188.

It seems there is one missing piece. If having a generated download link to an asset anywhere in the Preside admin, it will not take permissions into account but simply let the user download that asset straight away (even though "download" permissions are denied for the folder in which this asset lives).
It would be awesome if this would be fixed asap as it looks to me like a security issue.
An idea could be that it would just not download the asset and show a messagebox error instead stating that the user has insufficient permissions to download the asset.

Environment

None

Activity

Show:
Jan Jannek
May 25, 2018, 11:09 AM

Awesome. Thanks a lot for this super quick fix!

Dominic Watson
May 25, 2018, 10:48 AM

Thanks for raising , will just make it into 10.9

Fixed

Assignee

Jan Jannek

Reporter

Jan Jannek

Accepted

Yes