Incorrect permission checking for multiple upload form [#1870538]

This is directly related to: #1870532: Missing module and permission checks on multiple upload submission

After uploading multiple files @ /file/add, I'm redirected by the file_entity module to admin/content/file/edit-multiple/%.

The problem is that media requires the 'edit any files' permission to view that page, so I often land on an "Access denied".

Why is that permission required? It doesn't make sense since I'm brought there after uploading my own files.

Comment	File	Size	Author
#10	media-permission_check_multiple_upload-1870538-10.patch	2.18 KB	aaron
#3	media-permission_check_multiple_upload-1870538-3.patch	1.8 KB	mstef
#1	media-permission_check_multiple_upload-1870538-1.patch	1.24 KB	mstef

Comments

Comment #1

mstef commented 19 December 2012 at 18:57

Status:

Active

» Needs review

Status	File	Size
new	media-permission_check_multiple_upload-1870538-1.patch	1.24 KB

How does this look?

Added a custom access callback for the page, which passes in the array of files.

We iterate the files, and make sure the user can 'update' each.

Comment #2

mstef commented 19 December 2012 at 19:20

This still redirects the user to /admin/content/file after submitting the form, which will result in a 403.

And the link could still possibly link to the same page..

Status	File	Size
new	media-permission_check_multiple_upload-1870538-3.patch	1.8 KB

Comment #4

ParisLiakos commented 20 December 2012 at 15:09

Status:

Needs review

» Needs work

thanks

+++ b/includes/media.pages.incundefined
@@ -64,7 +64,7 @@ function media_file_page_edit_multiple($files) {
+    '#href' => isset($_GET['destination']) ? $_GET['destination'] : (user_access('administer files') ? 'admin/content/file' : '<front>'),

this should be splitted to an if/else statement..it would be easier to read

+++ b/media.moduleundefined
@@ -595,6 +596,27 @@ function media_file_download_access($field, $entity_type, $entity) {
+/**
+ * Access callback for the media-multi form
+ * ¶
+ * @param $files
+ *   An array of files being editing on the multiform.
+ * @return
+ *   TRUE if the current user has access to edit all of the files, otherwise FALSE.
+ */
+function media_multi_form_access($files) {
+  // Check that the current user can edit each file
+  if (!empty($files)) {
+    foreach ($files as $file) {
+      if (!file_entity_access('update', $file)) {
+        return FALSE;
+      }
+    }
+    return TRUE;
+  }
+  return FALSE;
+}

maybe you should expose the $op as argument here instead of hardcoding it to 'update', so this function becomes even more reusable.

Also maybe rename it to _media_file_entity_access_recursive

Comment #5

devin carlson commented 16 June 2013 at 15:38

Marked #2015787: Access Denied errors when importing bulk media as a duplicate.

Comment #6

fallenturtle commented 22 July 2013 at 06:45

Could anyone provide advice on looking into how to backport this patch for 1.3?

Looking at the patch I found the places in the media.module to edit, but I cannot find the lines for /includes/media.pages.inc and I can't find the entity file patch from here #1870532: (https://drupal.org/node/1870532) at all.