diff options
| author | Steven Wittens <steven@10.no-reply.drupal.org> | 2004-08-18 21:55:39 +0000 |
|---|---|---|
| committer | Steven Wittens <steven@10.no-reply.drupal.org> | 2004-08-18 21:55:39 +0000 |
| commit | eb5d7d2a27d893a2d4f2cf55d938971915b3b8be (patch) | |
| tree | 10faf8542d1dbb61975eb4c4fcb01398a48cacce /modules/upload.module | |
| parent | db548f7579472877169cb4e6977a15418b3f6db7 (diff) | |
| download | brdo-eb5d7d2a27d893a2d4f2cf55d938971915b3b8be.tar.gz brdo-eb5d7d2a27d893a2d4f2cf55d938971915b3b8be.tar.bz2 | |
Fixed bad permissions in upload.module:
- Admin - upload only shows up for 'access administration section' perms
- Users without 'upload files' perm do not see the attachments form (and cannot attach even when sending their own http request)
Note: if a user can edit a node, but not 'upload files', then the attachments are left untouched (and cannot be changed).
Diffstat (limited to 'modules/upload.module')
| -rw-r--r-- | modules/upload.module | 30 |
1 files changed, 17 insertions, 13 deletions
diff --git a/modules/upload.module b/modules/upload.module index f3039996f..b89630ab2 100644 --- a/modules/upload.module +++ b/modules/upload.module @@ -34,7 +34,7 @@ function upload_menu() { $items[] = array( 'path' => 'admin/upload', 'title' => t('uploads'), 'callback' => 'upload_admin', - 'access' => true, + 'access' => user_access('access administration pages'), 'type' => MENU_NORMAL_ITEM ); return $items; @@ -86,7 +86,7 @@ function upload_nodeapi(&$node, $op, $arg) { $output[t('attachments')] = form_checkbox(NULL, "upload_$node->type", 1, variable_get("upload_$node->type", 1)); break; case 'form param': - if (variable_get("upload_$node->type", 1)) { + if (variable_get("upload_$node->type", 1) && user_access('upload files')) { $output['options'] = array('enctype' => 'multipart/form-data'); } break; @@ -111,8 +111,8 @@ function upload_nodeapi(&$node, $op, $arg) { $node->list[$key] = $file->list; } } - - if ($file = file_check_upload('upload')) { + + if (($file = file_check_upload('upload')) && user_access('upload files')) { global $user; $max_size = variable_get("upload_maxsize_total", 0); @@ -146,14 +146,14 @@ function upload_nodeapi(&$node, $op, $arg) { $error['usersize']++; } } - - if ($error['extension'] == count($user->roles)) { + + if ($error['extension'] == count($user->roles) && $user->uid != 1) { form_set_error('upload', t('Error attaching file %name: invalid extension', array('%name' => "<em>$file->filename</em>"))); } - elseif ($error['uploadsize'] == count($user->roles)) { + elseif ($error['uploadsize'] == count($user->roles) && $user->uid != 1) { form_set_error('upload', t('Error attaching file %name: exceeds maximum file size', array('%name' => "<em>$file->filename</em>"))); } - elseif ($error['usersize'] == count($user->roles)) { + elseif ($error['usersize'] == count($user->roles) && $user->uid != 1) { form_set_error('upload', t('Error attaching file %name: exceeds maximum file size', array('%name' => "<em>$file->filename</em>"))); } else { @@ -166,12 +166,12 @@ function upload_nodeapi(&$node, $op, $arg) { } break; case 'form post': - if (variable_get("upload_$node->type", 1) == 1) { + if (variable_get("upload_$node->type", 1) == 1 && user_access('upload files')) { $output = upload_form($node); } break; case 'load': - if (variable_get("upload_$node->type", 1) == 1) { + if (variable_get("upload_$node->type", 1) == 1 && user_access('upload files')) { $output->files = upload_load($node); } break; @@ -219,7 +219,9 @@ function upload_nodeapi(&$node, $op, $arg) { break; case 'insert': case 'update': - upload_save($node); + if (user_access('upload files')) { + upload_save($node); + } break; case 'delete': upload_delete($node); @@ -293,8 +295,10 @@ function upload_form($node) { if (count($node->files)) { $output = form_item('', theme('table', $header, $rows), t('Note: changes made to the attachments are not permanent until you save this post.')); } - $output .= form_file(t('Attach new file'), "upload", 40); - $output .= form_button(t('Attach'), 'fileop'); + if (user_access('upload files')) { + $output .= form_file(t('Attach new file'), "upload", 40); + $output .= form_button(t('Attach'), 'fileop'); + } return '<div class="attachments">'. form_group(t('Attachments'), $output) . '</div>'; } |