[Reposted from http://dev.fckeditor.net/ticket/3081]
I think the permission model for folderRename and folderDelete is not quite right.
Supposing we have this filesystem:
/somefolder/ /foldername/ /foldername/somefile.txt /foldername/subfolder/
If I set: folderRename = true on /foldername/
I would expect this to work like the unix model, namely:
- That I should be able to rename what is in the folder, namely somefile.txt and subfolder.
- But I should not be able to rename the folder itself.
Instead, foldername itself can be renamed, which seems odd. I think instead this should follow the unix model, which is that you can't make changes unless the container gives you that permission.
At present it's impossible to stop people breaking a site by renaming a containing high-level folder, other than using a rather messy workaround of by not assigning rename rights on the folder itself and then adding rename rights for every folder individually under that main one.
If this change is not made I think it needs to be more clearly documented next to the folderRename and folderDelete options at
http://docs.fckeditor.net/CKFinder/Deve ... _ACL_Items
as there is definitely a chance that people will assume the Unix way and result in users making folder name changes or deletes that weren't intended to be allowed, which could be regarded as a security issue in some cases.