Site files accessible in "Links and resources" sidebar

Bug #1223069 reported by Aaron Wells on 2013-09-09
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Mahara
Wishlist
Adrian Schlegel

Bug Description

According to the Site Files documentation, files uploaded into the site files section are meant to be accessible to all logged-in users (via the "Site Files" tab on any file selector). The one exception to this is files in the hard-coded "Public" folder, which are meant to also be accessible to users who aren't logged in.

A user on the #mahara irc channel reported that Site Files sitting in a subdirectory, however, are not accessible to normal users. I verified this behavior in 1.8dev.

To reproduce:

1. Log in as an admin user
2. Go to the Site Files page
3. Create a subdirectory
4. Upload a file into that subdirectory
5. Log in as a non-admin user
6. Add a "files to download" block to a page
7. In the block's file selector, go to the "site files" page
8. You will not see the subdirectory you created in step 4, or be able to access its files.

Aaron Wells (u-aaronw) on 2013-09-09
tags: added: snack-sized
Aaron Wells (u-aaronw) wrote :

An update on this. From comments in the code, and an analysis of how this works, it looks like the original intent on how this was meant to work is as follows:

1. Site Files in the "public" directory can be chosen in the file selector by admins and non-admins (for attaching to Blocks, for instance)
2. Site Files outside the "public" directory cannot.

So it would seem that the proper fix would be:

1. Update the documentation to reflect this
2. Make it so that no files outside of the "public" directory can be chosen in the file selector by non-admins.

However, if we were to implement that change, we would have to watch out for existing sites where non-admin users are relying on files placed in the root level of Site Files. We'd need to move these into the Public directory so they remain accessible, and doing this could cause some disruption (for instance if there's already a file in the Public directory with the same name).

So, it's kind of a major change that would need to be made during a major release. And unfortunately it's too late to include it in 1.8 at this point, so it'll have to wait for 1.9.

Adrian Schlegel (adrian-liip) wrote :

Just submitted a patch to gerrit: https://reviews.mahara.org/#/c/2493/

Adrian Schlegel (adrian-liip) wrote :

Sorry, I just read the bug report again. The behaviour that I was talking about was the following:

1. Log in as an admin user
2. Go to the Site Files page
3. Create a subdirectory
4. Upload a file into that subdirectory
5. go to the 'links and resources' menu
6. select 'Logged-in links and resources'
7. Check 'Site file' and select the uploaded file and add the new entry
8. Log in as a non-admin user
9. click on the newly created link in the 'links and resources' block
10. you get an 'access denied' error

The patch that I submitted fixes this issue.

I created bug #1224750 for Aaron's original report so that we don't lose track of it.

summary: - Site files located in a subfolder cannot be accessed by normal users
+ Site files accessible in "Links and resources" sidebar
Changed in mahara:
importance: Low → Wishlist

Tagged wishlist because it introduces a new feature

Important for testing:

Use Adrian's test scenario and make sure that the site setting of site file access is ticked.

According to my user documentation, e.g. http://manual.mahara.org/en/1.7/blocks/files.html users can only see files in the "public" folder and re-use them in their portfolios. It would be great if you could clarify please whether the new sub folders feature applies to all folders or only "public". That would be great to know for the testing of this feature and then the documentation. :-)

Adrian Schlegel (adrian-liip) wrote :

The sub folders feature should apply to both files in 'public' and files in folders other than 'public'. Of course the same restrictions should still apply, meaning that users can still only use the files in 'public' and its sub folders to re-use them in their portfolios.
And I think it's a bug fix and not a feature since administrators can currently link files in the 'link and resources' menu that are in a sub folder and users still cannot access these files :-)

Reviewed: https://reviews.mahara.org/2493
Committed: http://gitorious.org/mahara/mahara/commit/590c6a2f6d3e7139d0a89d161cbf3edd598402e6
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 590c6a2f6d3e7139d0a89d161cbf3edd598402e6
Author: Adrian Schlegel <email address hidden>
Date: Thu Sep 12 11:20:41 2013 +0200

Allow users access to site files in subfolders (Bug #1223069)

This patch introduces a setting which, if turned on, allows users to
access linked site files which are placed in subfolders.

Linked site files are set up under Configure site -> Menus

Change-Id: Iae4b9e10ef6a921cbf5a3afd9881f33b4c9f280c
Signed-off-by: Adrian Schlegel <email address hidden>

Son Nguyen (ngson2000) on 2013-12-03
Changed in mahara:
assignee: nobody → Adrian Schlegel (adrian-liip)
status: Confirmed → Fix Committed
Changed in mahara:
milestone: none → 1.9.0
tags: added: nominatedfeature
Robert Lyon (robertl-9) on 2014-04-22
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers