Opened 8 years ago

Closed 8 years ago

#6343 closed defect (worksforme)

I can't protect from removing attachments files

Reported by: anonymous Owned by: osimons
Priority: high Component: FullBlogPlugin
Severity: critical Keywords:
Cc: maxwellfarias@… Trac Release: 0.11



The BLOG_VIEW permission doesn't protect from removing attachments files. Is this a bug or a configuration issue?

Attachments (0)

Change History (2)

comment:1 Changed 8 years ago by anonymous

Cc: maxwellfarias@… added; anonymous removed

comment:2 Changed 8 years ago by osimons

Resolution: worksforme
Status: newclosed

Configuration, I'd say. On my setup, a user with only BLOG_VIEW is allowed to see posts and attachments, but no more. The user won't be able to delete attachments (or upload new ones).

I'd check Permissions, and suspect the user has some other blog-related permissions as well (more than just viewing). Or perhaps you've installed some custom security policy plugin or similar that change default behaviour? Default policies looks like this:

permission_policies = DefaultPermissionPolicy, LegacyAttachmentPolicy

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain osimons.
The resolution will be deleted.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.