Opened 7 years ago

Closed 7 years ago

#6343 closed defect (worksforme)

I can't protect from removing attachments files

Reported by: anonymous Owned by: osimons
Priority: high Component: FullBlogPlugin
Severity: critical Keywords:
Cc: maxwellfarias@… Trac Release: 0.11



The BLOG_VIEW permission doesn't protect from removing attachments files. Is this a bug or a configuration issue?

Attachments (0)

Change History (2)

comment:1 Changed 7 years ago by anonymous

  • Cc maxwellfarias@… added; anonymous removed

comment:2 Changed 7 years ago by osimons

  • Resolution set to worksforme
  • Status changed from new to closed

Configuration, I'd say. On my setup, a user with only BLOG_VIEW is allowed to see posts and attachments, but no more. The user won't be able to delete attachments (or upload new ones).

I'd check Permissions, and suspect the user has some other blog-related permissions as well (more than just viewing). Or perhaps you've installed some custom security policy plugin or similar that change default behaviour? Default policies looks like this:

permission_policies = DefaultPermissionPolicy, LegacyAttachmentPolicy

Add Comment

Modify Ticket

as closed The owner will remain osimons.
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.