If I understand correctly, permissions are solely group-based. In the Files and Images section of the CMS, permissions based on a file's owner cannot be set as standard. Unless I have overlooked something, in order to give a user the ability to upload documents, you also have to give that user delete-access to documents uploaded by other users - even users belonging to different groups.
In order to resolve this vulnerability, I have come up with a solution but it is extremely hacky, documents are uploaded to the root assets folder only, and I do not like it. For what it is worth this is what I did. Changes were made in 4 areas as follows. I am using Version 2.4.7 because I am limited to using PHP 5.2.
The following changes were made to sapphire\filesystem\File.php
function canEdit($member = null) {
/*
if(!$member) $member = Member::currentUser();
$result = $this->extendedCan('canEdit', $member);
if($result !== null) return $result;
return Permission::checkMember($member, 'CMS_ACCESS_AssetAdmin');
*/
// Gives edit capability to admin members for all files
$ID=$this->getField('ID');
if(!$member) $member = Member::currentUser();
if(Permission::checkMember($member, 'ADMIN') || $ID==0){
return true;
}else{
// Gives edit capability to the owner of the folder/file
$ownerid=My::returnValue("select ownerid from File where ID=$ID");
if($member->ID==$ownerid)return true;
}
return false;
}
where My::returnValue is a function which I wrote so I could use standard SQL. (This is probably not recommended)
When browsing admin/assets, the above change allows edit/delete links to appear for records belonging to the file owner only unless the user is an administrator.
The following two lines were added at Line 391 in sapphire\filesystem\Folder.php
$member = Member::currentUser();
if(!Permission::checkMember($member, 'ADMIN'))$deleteButton=new HiddenField('deletemarked');
This removes the Delete Selected Files button at the bottom of the right hand frame.
The following two lines were added to the top and bottom of cms\templates\Includes\AssetAdmin_left.ss.
<% if isAdministrator %>
....
<% end_if %>
This removes all content in the left hand frame. This was necessary to remove folder deletion capability.
The following code was added to cms\code\AssetAdmin.php.
function isAdministrator() {
return Permission::checkMember($this, 'ADMIN');
}
The above function had to be created because use of a conditional statement which called the isAdmin function in sapphire\security\Member.php caused issues with variables in cms\templates\Includes\AssetAdmin_left.ss which referenced functions in AssetAdmin.php.