The 'Search File Folder' Permission on a Folder does not override the system file permissions

Permalink 0 0 Browser Info Environment
The sites we build in C5 have lots of users/site editors and to avoid people from deleting files that other users have uploaded we take advantage of the File Uploader permission where users who are not an admin or super user can only see the files they upload which works very well.

We thought it would be useful to share certain files in some cases so we created a "Shared" Folder and set permissions that allow users who are not an admin or super user to be able to view the shared folder and files, where typically they would only see the files they upload.

The issue is when we set the "Search File Folder" permission on the folder this is supposed to allow users who are assigned to custom groups (Editors Group) to be able to see the shared folder and view files it contains. The folder does appear as expected, however you cannot access the files within the folder, when you click the shared folder the file manager displays a blank window that says error (see attached).

The only way we can allow users who are assigned to custom groups to view the files is by adding their group to the the 'Search File Folder' permission that lives /dashboard/system/files/permissions - but when you do that now the users see all files which is not what we want.

We only want users who are assigned to custom groups to be able to view the files they upload (File Uploader permission) and be able to access the shared folder and whatever files within the shared folder.

Our understanding is when you assign the 'Search File Folder' permission on the folder it should overwrite the system file permission which is doesn't. We've tested this in v8.2 - v8.5 and are pretty confident this is a bug.

1 Attachment

Status: New

concrete5 Environment Information

# concrete5 Version
Core Version - 8.5.0RC1
Version Installed - 8.5.0RC1
Database Version - 20190129000000

# concrete5 Packages

# concrete5 Overrides

# concrete5 Cache Settings
Block Cache - On
Overrides Cache - On
Full Page Caching - On - If blocks on the particular page allow it.
Full Page Cache Lifetime - Every 6 hours (default setting).

# Server Software

# Server API

# PHP Version

# PHP Extensions
calendar, cgi-fcgi, Core, ctype, curl, date, dom, enchant, exif, fileinfo, filter, ftp, gd, gettext, gmp, hash, iconv, intl, json, libxml, mbstring, mcrypt, mysqli, mysqlnd, openssl, pcre, PDO, pdo_mysql, pdo_sqlite, Phar, posix, pspell, Reflection, session, SimpleXML, soap, SPL, sqlite3, standard, tokenizer, wddx, xml, xmlreader, xmlrpc, xmlwriter, xsl, Zend OPcache, zip, zlib

# PHP Settings
max_execution_time - 300
log_errors_max_len - 1024
max_file_uploads - 20
max_input_nesting_level - 64
max_input_time - 600
max_input_vars - 8000
memory_limit - 300M
post_max_size - 32M
sql.safe_mode - Off
upload_max_filesize - 100M
mysqli.max_links - Unlimited
mysqli.max_persistent - Unlimited
pcre.backtrack_limit - 1000000
pcre.recursion_limit - 100000
session.cache_limiter - <i>no value</i>
session.gc_maxlifetime - 7200
soap.wsdl_cache_limit - 5
opcache.max_accelerated_files - 4000
opcache.max_file_size - 0
opcache.max_wasted_percentage - 5

Browser User-Agent String

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36