aces · racostas · Apr 25, 2024 · May 23, 2024 · May 30, 2024 · driusan
diff --git a/SQL/0000-00-02-Permission.sql b/SQL/0000-00-02-Permission.sql
@@ -33,7 +33,7 @@ CREATE TABLE `permissions` (
       'View/Create/Edit',
       'Create/Edit',
       'Edit/Upload',
-      'Edit/Upload/Delete'),
+      'Edit/Upload/Hide'),
   `categoryID` int(10) NOT NULL DEFAULT '2',
   PRIMARY KEY (`permID`),
   UNIQUE KEY `code` (`code`),
@@ -102,7 +102,7 @@ INSERT INTO `permissions` VALUES
     (31,'acknowledgements_edit','Acknowledgee List',(SELECT ID FROM modules WHERE Name='acknowledgements'),'Edit','2'),
     (32,'dataquery_view','Cross-Modality Data',(SELECT ID FROM modules WHERE Name='dataquery'),'View/Download','2'),
     (33,'genomic_data_manager','Genomic Files',(SELECT ID FROM modules WHERE Name='genomic_browser'),'Upload','2'),
-    (34,'media_write','Candidate Media Files',(SELECT ID FROM modules WHERE Name='media'),'Edit/Upload/Delete','2'),
+    (34,'media_write','Candidate Media Files',(SELECT ID FROM modules WHERE Name='media'),'Edit/Upload/Hide','2'),
     (35,'media_read','Candidate Media Files',(SELECT ID FROM modules WHERE Name='media'),'View/Download','2'),
     (36,'issue_tracker_reporter', 'Create/Edit Own Issues and Comment on All Issues',(SELECT ID FROM modules WHERE Name='issue_tracker'),NULL, 2),
     (37,'issue_tracker_developer', 'Close/Edit/Re-assign/Comment on All Issues',(SELECT ID FROM modules WHERE Name='issue_tracker'),NULL, 2),

diff --git a/modules/media/ajax/FileUpload.php b/modules/media/ajax/FileUpload.php
@@ -88,7 +88,7 @@ function uploadFile()
     $db     = \NDB_Factory::singleton()->database();
     $config = NDB_Config::singleton();
     $user   =& User::singleton();
-    if (!$user->hasPermission('media_write')) {
+    if (!$user->hasPermission('media_read')) {
         showMediaError("Permission Denied", 403);
         exit;
     }

diff --git a/modules/media/jsx/mediaIndex.js b/modules/media/jsx/mediaIndex.js
@@ -107,7 +107,7 @@ class MediaIndex extends Component {
     let result = <td className={style}>{cell}</td>;
     switch (column) {
     case 'File Name':
-      if (this.props.hasPermission('media_write')) {
+      if (this.props.hasPermission('media_read')) {
         const downloadURL = loris.BaseURL
                             + '/media/files/'
                             + encodeURIComponent(row['File Name']);

diff --git a/modules/media/php/files.class.inc b/modules/media/php/files.class.inc
@@ -18,10 +18,7 @@ class Files extends \LORIS\Http\FilesPassthroughEndpoint
      */
     function _hasAccess(\User $user): bool
     {
-        //XXX: Should this be 'media_read' instead? It seems that downloading
-        //     files should be a read permission, not write.. but this is the
-        //     permission that the old ajax script was checking.
-        return $user->hasPermission('media_write');
+        return $user->hasPermission('media_read');
     }
 
     /**