We're updating the issue view to help you get more done.Learn more

Denied asset download in admin possible under specific circumstances

This is a follow-up issue of PRESIDECMS-1188 .

It seems there is one missing piece. If having a generated download link to an asset anywhere in the Preside admin, it will not take permissions into account but simply let the user download that asset straight away (even though "download" permissions are denied for the folder in which this asset lives).
It would be awesome if this would be fixed asap as it looks to me like a security issue.
An idea could be that it would just not download the asset and show a messagebox error instead stating that the user has insufficient permissions to download the asset.

Status

Assignee

Jan Jannek

Reporter

Jan Jannek

Accepted

Yes

Fix versions

Affects versions

10.9.0

Priority

High