Forced effective Manage Media permission

[mrpavlitzky]

Issue

Checking Manage own media permission for a user implicitly grants that user to Manage media which results in his ability to delete other user's media which is unwanted

Expected behaviour

Isolate the own media management permission from the management of all media.

[hishamco]

Does we implemented manage own and other media permissions completely?

/cc @matiasmolleja

[Skrypt]

Manage Own Media is what should work if not.

[sebastienros]

Seems like ManageMedia is implied by ManageOwnMedia:
https://github.com/OrchardCMS/OrchardCore/blob/main/src/OrchardCore.Modules/OrchardCore.Media/Permissions.cs#L13

[Skrypt]

Please, someone, fix this one for 1.5.

[hishamco]

Manage own media should manage the owner media not others media, seems the issue he/she can manage others media, right?

[hishamco]

One more thing what are the main difference between ManageMedia and ManageMediaFolder? I didn't much difference

[Skrypt]

I suggest that we reassign this issue for 1.6 or that we close it if there will be no action taken.

[hishamco]

Agree to move it into the next release

[ericrrichards]

Not to make this more complicated, but there's a wrinkle that I'm running into at the moment that feels related to this.

I have a content type with the CustomUserSettings stereotype.
This content type has an attached MediaField - editor = "attached"
For a user to edit their own settings and upload a picture to that MediaField, I have to give the role both the "Manage Own Custom User Settings - {content_type}" permission, and the "Manage Own Media" permission.

If I do this, the user can upload an image, but they can also get into other top-level Media Library files because of the implied Manage Media permission, which is not ideal.

But they can't get to the file that they uploaded to the MediaField, because that is underneath the /mediafields folder in the Media Library, and they don't have the "Manage Attached Media Fields Folder" permission.

So the CustomUserSettings MediaField image ends up living in /mediafields/{CustomUserSettings-ContentType}/{CustomUserSettings-ContentItemId}/

Would it be possible to change this for MediaFields on CustomUserSettings objects so that the file ended up under /_Users/{userid}/mediafields/{CustomUserSettings-ContentType}/{CustomUserSettings-ContentItemId}/?

[Piedone]

Please check out this PR for an intended Secure Media feature that fixes this too: #15173.

[Piedone]

Please give your feedback about subfolder permissions here: #9369 (comment).

[Piedone]

If anybody has any feedback on the #15173 PR, please let us know under it. Otherwise, I'll merge it in a week.