Details
-
Improvement
-
Resolution: Unresolved
-
Medium
-
4.7.0
-
None
-
None
Description
Location selector for uploaded images, embed into a XML Block field, doesn't fully reflect restriction policies that have been defined for the current user.
If, for instance, a user is only allowed to publish images in a subfolder of media/images/ , the Location select box will still include automatic and <node-name> (this) (when the node is being edited.
Ideally, both locations should be filtered out, if the user doesn't have permissions to create content there.
Steps to reproduce:
- edit default policies in order to remove content create image
- create a folder under media/images
- specify a new policy with content create image to media/images/<new folder>
- log in with the user affected by the above role
- create an object, in content structure, insert an image in a XML Field, verify the list of locations available
=> it includes automatic, which will result in a Forbidden error being returned - select a valid location and publish the object
- edit the object, insert an image in the XML Field, verify the list of locations available
=> besides the referred automatic, the list now includes a <object-name> (this) option, which should also not be available, since the user cannot create the image there