I have an issue with permissions. I have two user roles on my site, and want to prevent one role from viewing pictures from the gallery. I set up the permissions accordingly, but still the pictures are visible to all users. I guess it is a bug unless I am missing something very obvious...

Members fund testing for the Drupal project. Drupal Association Learn more


JacobSingh’s picture

Project: Media » Media Gallery

This is actually a bug in the media gallery module. If you visit media/123 (Where 123 is the ID of the file) you will see permissions working, but the Media Gallery module isn't respecting them.

JacobSingh’s picture

Version: 7.x-1.0-beta5 » 7.x-1.x-dev
Moloc’s picture

Status: Active » Needs review
7.84 KB

Here is a patch, which should respect the permissions.

The only access-permission, which i am not sure, if it is correct, is "remove media from gallery". Currently you can remove a media from the gallery, if you have the "Node: Gallery edit" permission. Is that also true, if you have no media permission (view/edit)? (This may be more important, when media supports a better permission-granularity.)

lsolesen’s picture

Status: Needs review » Needs work

The patch does not apply to latest changes in the media gallery.

lsolesen’s picture

Issue tags: +Beta8-blockers


Moloc’s picture

Status: Needs work » Needs review
7.18 KB

Recreated patch.

- Removed access check in media_gallery.theme.inc (If there is no access to the files, they will be removed before theming.)
= Modified media_gallery_edit_item_access to not check, whether the user has access to the node, as the user only wants to edit the media.
+ Added access check in the edit media page to remove the media from gallery (only allow, if the user has update permissions).

lsolesen’s picture

Status: Needs review » Reviewed & tested by the community

The patch looks good. Tested with non-auth and auth without view permissions. You can commit.

Moloc’s picture

Status: Reviewed & tested by the community » Fixed

Automatically closed -- issue fixed for 2 weeks with no activity.