Access to Uploader from front end

[tomfuller]

Joomla 1.5 allowed front end access to com_media with a link like:

$bar->appendButton( 'Popup', 'upload', $alt, "index.php?option=com_media&tmpl=component&task=popupUpload&folder=", 800, 700 );

In 1.6 you get an error:

You are not allowed to view this resource.

this is when logged into the front end as a super administrator. No changing of permissions of the com_media seems to change it.

Also, have a form field of "media" in a front end form also gets that same error message.

Was the code rewritten to disallow front end access to com_media? I need it for users to be able to upload media files.

Tom

[elin]

You can definitely use the media field from the front end; I know we fixed some issues with that and that I tested adding an avatar in the profile plugin. IIRC you need to make sure that those users have create rights in com_media if they are goingto be able to upload. Without create rights they can only select from the images already in the media manager. 

 

Elin 

[tomfuller]

I guess I'm confused then - Super Users - have create rights to com_media. Logged in on front end as superadmin.

This field from the form:

<field name="filename" type="media" label="JBS_MED_FILENAME"
            description="JBS_MED_USE_FILENAME_AS_PATH" class="inputbox" size="50" />

Generated in the form:

<div class="button2-left">
	<div class="blank">
		<a class="modal" title="JSELECT" href="/j16-1/index.php/component/media/?view=images&amp;tmpl=component&amp;asset=&amp;author=&amp;fieldid=jform_filename&amp;folder=" rel="{handler: 'iframe', size: {x: 800, y: 500}}">
			JSELECT</a>
	</div>
</div>
<div class="button2-left">
	<div class="blank">
		<a title="JCLEAR" href="#" onclick="javascript:document.getElementById('jform_filename').value='';">

			JCLEAR</a>

Receive error in the modal box: You are not authorized to view this resource.
	</div>

[elin]

Definitely broken. But it is a bug, not by design. It was working when 23568 was closed, so I suspect a regression somewhere. Will take a look. 

Elin

[elin]

Ready for testing

http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=25288

http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=25289

Elin

[tomfuller]

Yeah - the patch works!!!!!

I can now access the com_media component from the front end when logged in.

[tomfuller]

The patch for front end access to the media manager was apparently not carried in to Joomla 1.6.2. Access to front end now denied even for superadmin logged in on front end.

[Mark Dexter]

It is fixed in 1.6.3. Mark

On Wed, Apr 20, 2011 at 8:00 AM, tomfuller <tomfu...@gmail.com> wrote:

The patch for front end access to the media manager was apparently not carried in to Joomla 1.6.2. Access to front end now denied even for superadmin logged in on front end.

--
You received this message because you are subscribed to the Google Groups "Joomla! Framework Development" group.
To post to this group, send an email to joomla-dev...@googlegroups.com.
To unsubscribe from this group, send email to joomla-dev-frame...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/joomla-dev-framework?hl=en-GB.

[tomfuller]

Excellent. Thanks!

[tomfuller]

This same issue has come up again. Logged on as superadmin on front end. In front end form:

http://localhost/j17-1/index.php?option=com_media&tmpl=component&task=popupUpload&folder=

"You are not authorized to view this resource"

Joomla 1.7.3

The error arises from: /components/com_media/media.php around line 21:

$asset = JRequest::getCmd('asset');
$author = JRequest::getCmd('author');
if (!$asset or
        !$user->authorise('core.edit', $asset)
    &&    !$user->authorise('core.create', $asset)
    &&     count($user->getAuthorisedCategories($asset, 'core.create')) == 0
    &&    !($user->id==$author && $user->authorise('core.edit.own', $asset)))
{
    return JError::raiseWarning(403, JText::_('JERROR_ALERTNOAUTHOR'));
}

$user is in group 8 - super users
$asset is null
$author is null

In the backend under com_media superusers are allowed in all areas of this component.

Why use $asset in this way and not check user permissions like com_content: (views/category/view.html.php)

    // Check whether category access level allows access.
        $user    = JFactory::getUser();
        $groups    = $user->getAuthorisedViewLevels();
        if (!in_array($category->access, $groups)) {
            return JError::raiseError(403, JText::_("JERROR_ALERTNOAUTHOR"));
        }

[JM Simonet]

can you post the issue on tracker with a patch?

Thanks.

--

You received this message because you are subscribed to the Google Groups "Joomla! Framework Development" group.

To view this discussion on the web, visit https://groups.google.com/d/msg/joomla-dev-framework/-/iyCUlmOaPsUJ.

To post to this group, send an email to joomla-dev...@googlegroups.com.
To unsubscribe from this group, send email to joomla-dev-frame...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/joomla-dev-framework?hl=en-GB.

-- 

Please keep the Subject wording in your answers

This e-mail and any attachments may be confidential. You must not disclose or use the information contained in this e-mail if you are not the
intended recipient. If you have received this e-mail in error, please notify us immediately and delete the e-mail and all copies.

-----------------------------------------------------------

Jean-Marie Simonet  /  infograf768

Joomla Production Working group

Joomla! Translation Coordination Team 

[tomfuller]

This patch: http://joomlacode.org/gf/download/trackeritem/25288/62593/mediafieldacl-ejw.patch

which is discussed here:

http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=25288

solves the problem but it was not carried into 1.7.3.

There is some discussion as to whether the patch is proper but it does work!

[tomfuller]

FYI - Joomla 2.5.1 still restricts front end access to the media manager. Can we get this back?