Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Customising the CMS

End User not able to use upload in image tab


3 Posts   827 Views


14 January 2009 at 4:15am Community Member, 32 Posts

I am configuring my permission in my CMS so that certain groups can only edit certain areas of the site. It's going pretty well, but I am hitting one snag. I can restirct the users to only have the Site Content and Files & Images tab, and also to only be able to work in the designated areas. The problem is this, the user(group) is not able to use the image side-panel in the CMS to upload images. Additionally when I created a page type simillar to the StaffList page type in the tutorials the end user is not able to use the "images" tab to upload or change the associated photo. The only way I have been able to give the user these rights is to give them full admin rights, which blows away the rest of my permissions...

Any thoughts!?!?!?!?


14 January 2009 at 5:19am Community Member, 32 Posts


I was able to fix it... I used the article at the following link

Basically I had to go to

sapphire/core/model/image.php and make the change below... I don't know why this is set automatiacally... it should be!!!


The iframe action in the Image_Uploader Controller (File: Image.php) checks the Permission for "ADMIN", which is way too restrictive. A user that has Access to the CMS Main and/or Asset Admin should be able to upload Images via iframe.

If this isn't fixed, Image Upload fields aren't functional for all users that don't have full Admin rights.

Change Line 436 from:

if(!Permission::check('ADMIN')) Security::permissionFailure($this);


if(!Permission::check('CMS_ACCESS_AssetAdmin')) Security::permissionFailure($this);
or similar...


14 January 2009 at 6:16am 4085 Posts

Known bug. In /sapphire/core/model/Image.php, do a search for "function iframe" and change the first line to this:

      if(!Permission::check('CMS_ACCESS_LeftAndMain')) Security::permissionFailure($this);