Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#16860] - Media browser Up button URL missing params / 403 error

?
avatar alansegar
alansegar
25 Jun 2017

screen shot 2017-06-25 at 10 43 39

Steps to reproduce the issue

Fresh install of Joomla 3.7.2
Create a user and assign the Publisher group.
Log into the front-end as the new user.
Edit an article, clicking the Image button to insert an image.
Navigate to a sub-folder (doesn't matter how many levels down the tree).
Click the Up button to return to the parent folder you were just in.

Expected result

The parent folder should be shown

Actual result

An error page is shown (403 error in Network tab)

System information (as much as possible)

Additional comments

This affects both front-end and back-end (as long as the user isn't a superuser).
It also affects other places which use the same file selector e.g. Images and Links tab.

Using the drop-down list next to the button which works fine, I've been able to see the difference between the requests. The working request has asset and author values set (asset=61&author=849) but the broken one does not have these values populated (asset=&author=):

403 from Up button:
GET http://example.com/folder/index.php?option=com_media&view=imagesList&tmpl=component&asset=&author=&folder=top/level-one

200 from drop-down:
GET http://example.com/folder/index.php?option=com_media&view=imagesList&tmpl=component&asset=61&author=849&folder=top/level-one

avatar alansegar alansegar - open - 25 Jun 2017
avatar joomla-cms-bot joomla-cms-bot - labeled - 25 Jun 2017
avatar franz-wohlkoenig
franz-wohlkoenig - comment - 25 Jun 2017

Issue confirmed, Up-Button in Media-Manager don't work.

avatar franz-wohlkoenig franz-wohlkoenig - change - 25 Jun 2017
Status New Confirmed
avatar brianteeman
brianteeman - comment - 5 Oct 2017

weird as it works correctly for a super user

avatar franz-wohlkoenig franz-wohlkoenig - change - 6 Oct 2017
Status Confirmed Discussion
avatar brianteeman
brianteeman - comment - 17 Oct 2017

Looks like the problem is coming from here where it is not getting a value for author
https://github.com/joomla/joomla-cms/blob/staging/media/media/js/popup-imagemanager.js#L274

avatar Quy
Quy - comment - 24 Jan 2018

The issue is that asset and author are not set in this.setFrameUrl(search);

		/**
		 * Move up one directory
		 *
		 * @return  void
		 */
		upFolder: function ()
		{
			var path = this.folderlist.value.split('/'),
				search;

			path.pop();
			search = path.join('/');

			this.setFolder(search);
			this.setFrameUrl(search);
		},

I don't know JavaScript to update the above code to extract the asset and author values from the following:

<select id="folderlist" name="folderlist" size="1" onchange="ImageManager.setFolder(this.options[this.selectedIndex].value, 159, 433)" style="display: none;">
	<option value="">/</option>
	<option value="banners">/banners</option>
	<option value="headers">/headers</option>
	<option value="sampledata">/sampledata</option>
	<option value="sampledata/fruitshop">/sampledata/fruitshop</option>
	<option value="sampledata/parks">/sampledata/parks</option>
	<option value="sampledata/parks/animals">/sampledata/parks/animals</option>
	<option value="sampledata/parks/landscape">/sampledata/parks/landscape</option>
</select>

@dgt41 @C-Lodder Please help. Thanks.

avatar C-Lodder
C-Lodder - comment - 24 Jan 2018

This is the event for the button: https://github.com/joomla/joomla-cms/blob/staging/media/media/js/popup-imagemanager.js#L56

No idea what author is supposed to do on all this and the description for the param isn't helpful:

* @param   mixed   author  Probably an integer or undefined, optional
avatar Quy
Quy - comment - 24 Jan 2018

author is the author of the article. It is for access check here in media.php.

$input  = JFactory::getApplication()->input;
$user   = JFactory::getUser();
$asset  = $input->get('asset');
$author = $input->get('author');

// Access check.
if (!$user->authorise('core.manage', 'com_media') && (!$asset || (!$user->authorise('core.edit', $asset)
	&& !$user->authorise('core.create', $asset)
	&& count($user->getAuthorisedCategories($asset, 'core.create')) == 0)
	&& !($user->id == $author && $user->authorise('core.edit.own', $asset))))
{
	throw new JAccessExceptionNotallowed(JText::_('JERROR_ALERTNOAUTHOR'), 403);
}
avatar C-Lodder
C-Lodder - comment - 24 Jan 2018

Not sure why we need the author to click the "Up" button though. Gonna have to install J3 and test tomorrow

avatar Quy
Quy - comment - 24 Jan 2018

As you can see from the original report, asset and author are empty.

403 from Up button:
GET http://example.com/folder/index.php?option=com_media&view=imagesList&tmpl=component&asset=&author=&folder=top/level-one

200 from drop-down:
GET http://example.com/folder/index.php?option=com_media&view=imagesList&tmpl=component&asset=61&author=849&folder=top/level-one

avatar C-Lodder
C-Lodder - comment - 24 Jan 2018

PR: #19443

avatar brianteeman brianteeman - change - 24 Jan 2018
Status Discussion Closed
Closed_Date 0000-00-00 00:00:00 2018-01-24 11:24:23
Closed_By brianteeman
avatar brianteeman
brianteeman - comment - 24 Jan 2018

Closed see #19443

avatar brianteeman brianteeman - close - 24 Jan 2018
avatar franz-wohlkoenig franz-wohlkoenig - change - 24 Jan 2018
Closed_Date 2018-01-24 11:24:23 2018-01-24 11:24:24
Closed_By brianteeman franz-wohlkoenig
avatar joomla-cms-bot
joomla-cms-bot - comment - 24 Jan 2018

Set to "closed" on behalf of @franz-wohlkoenig by The JTracker Application at issues.joomla.org/joomla-cms/16860

avatar franz-wohlkoenig
franz-wohlkoenig - comment - 24 Jan 2018

closed as having Pull Request #19443

Add a Comment

Login with GitHub to post a comment