Forum OpenACS Development: Re: Res: Permission discrepancy in file-storage

Collapse
Posted by Luis de la Fuente on

Here are more details about Derick's question,

When you use the button for bulk actions, the script is:

    server/file-storage/www/delete.tcl
and the code which determines if the user has proper permissions is the following sql (oracle's is similar):
        select fs.object_id as fs_object_id, fs.type, fs.name, fs.parent_id,
        acs_permission__permission_p(fs.object_id, :user_id, 'write') as delete_p
        from fs_objects fs
        where fs.object_id in ('$object_id_list')

On the other hand, if you go through the file properties page and delete a file, the requested script is

   server/file-storage/www/file-delete.tcl
and the corresponding checking code is
        ad_require_permission $file_id delete

Additionally, the following comment appears in the move.tcl and delete.tcl file

# DaveB: I think it should be DELETE instead of WRITEs:

Collapse
Posted by Gustaf Neumann on
This sounds like a clear bug to me...