Forum OpenACS Development: Permission discrepancy in file-storage
A professor here has set a special set of permissions for the file-storage of one of his courses. This is how we have found what we think is a discrepancy in the permissions needed to delete an object from the File Storage:
If you want to delete an item by the "Delete version" or "Delete file" in the file properties page, you need the delete permission. If you try to delete it using the bulk actions, you need (only?) the write permission.
Is this due to any reason in special or just an inconsistency of permissions?
Here are more details about Derick's question,
When you use the button for bulk actions, the script is:
server/file-storage/www/delete.tcland the code which determines if the user has proper permissions is the following sql (oracle's is similar):
select fs.object_id as fs_object_id, fs.type, fs.name, fs.parent_id, acs_permission__permission_p(fs.object_id, :user_id, 'write') as delete_p from fs_objects fs where fs.object_id in ('$object_id_list')
On the other hand, if you go through the file properties page and delete a file, the requested script is
server/file-storage/www/file-delete.tcland the corresponding checking code is
ad_require_permission $file_id delete
Additionally, the following comment appears in the move.tcl and delete.tcl file
# DaveB: I think it should be DELETE instead of WRITEs:
Snippet from file-move.tcl:
# check they have write permission on the file (is this really the
# right permission?)
ad_require_permission $file_id write
I can provide the patch or commit it to HEAD to fix the delete and move scripts.
I've also noticed this bug and posted in the bugtracker. Check it out to see if it's the same error: http://www.openacs.org/bugtracker/openacs/bug?bug%5fnumber=3156
I've also supplied a patch for this in the same bug report.
I hadn't realized this was already submitted in the bugtracker, sorry about that.
I submitted my patch in the bug report as well, it's basically the same but checking for the "delete" privilege instead of "admin", in case there's any explicit permission. I also changed this for the "move" process.