It seems that when you want to put an asset link in a blog post and want to keep it private certain roles, it only allows you to restrict it to roles which can 'create assets'. Like what if you dont want your clients to create assets (only employee roles should be able to in my situation) but also make files private so clients roles can download them when we link those assets in a blog page.

aka employees should be able to create assets and clients roles should be able to access if we let them. But if you dont setup ACL for clients to 'create asset' rights, then they dont show up in the checkbox list of roles to access the asset.

Any idea why accessing assets is linked to creating assets?

Comments

armyofda12mnkeys’s picture

armyofda12mnkeys CreditAttribution: armyofda12mnkeys commented

another funky problem. i set a private dl for client role. but he cannot access download unless Webform modules "access webform results" is turned on for this role. any idea?

I get a "Page not found" page if that role isnt turned on, weird.

wmostrey’s picture

wmostrey CreditAttribution: wmostrey commented

Hey there,

Please note that the permissions are only for editors, not for visitors. It allows you to control who can add the assets using the asset wizard. For instance if you set an asset to private for the "moderator" role, only you and people with the "moderator" role will be able to see the asset in the asset wizard.

If you want to restrict viewers from seeing the asset, you could for instance use the cck field permissions module for instance.

As for the webform issue, to be honest I think that's a webform bug related to private downloads. I certainly don't check for the "access webform results" permission in the asset module.

Does this answer your question?

armyofda12mnkeys’s picture

armyofda12mnkeys CreditAttribution: armyofda12mnkeys commented

okay i gotcha, i think i was trying the make the module act more like IMCE module, for sharing/keeping private user files but couldnt do something in it so was trying to get Asset to simulate it when shouldnt really.

i think i figured out why Webform's 'access webform results' was messing up access to Asset...
they use _file_download() also to set perms to download files uploaded in a webform by user. so if that perm is set for user then he/she can download any files in your files directory. so hence why they would be able to dl imce files when i thought they shouldnt be able to dl.

kinda seems like drupal should set a way so many modules that allow file downloads can set access for their specific downloads.
like i mentioned in IMCE module...

So what happens when a file from IMCE is requested and all _file_download() hooks are called, imce says the person can access the file, but will Webform deny access to the file, since the file wont exist in /webform and user might not have access to webform results?

this is a general drupal file security question, sorry if its wrong place for it here.
Seems like there should be like a 3rd return value for _file_download(), 0 if you dont want the module to handle allow/deny access to the file.
so all module developers should see if the (unique) filepath exists in their module's database table for files, and if not, return 0.

wmostrey’s picture

wmostrey CreditAttribution: wmostrey commented
Status: Active » Fixed
armyofda12mnkeys’s picture

armyofda12mnkeys CreditAttribution: armyofda12mnkeys commented

hey just wondering if i was correct about statement about many modules using _file_download() can mess up perms to dl files between them all, and if there is a way passed it?

wmostrey’s picture

wmostrey CreditAttribution: wmostrey commented

You are correct about _file_download() but I'm afraid this will not get fixed before Drupal 7's hook_file passes through: http://drupal.org/node/142995.

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented
Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.