Media browser Up button URL missing params / 403 error

[alansegar]

Steps to reproduce the issue

Fresh install of Joomla 3.7.2
Create a user and assign the Publisher group.
Log into the front-end as the new user.
Edit an article, clicking the Image button to insert an image.
Navigate to a sub-folder (doesn't matter how many levels down the tree).
Click the Up button to return to the parent folder you were just in.

Expected result

The parent folder should be shown

Actual result

An error page is shown (403 error in Network tab)

System information (as much as possible)

Additional comments

This affects both front-end and back-end (as long as the user isn't a superuser).
It also affects other places which use the same file selector e.g. Images and Links tab.

Using the drop-down list next to the button which works fine, I've been able to see the difference between the requests. The working request has asset and author values set (asset=61&author=849) but the broken one does not have these values populated (asset=&author=):

403 from Up button:
GET http://example.com/folder/index.php?option=com_media&view=imagesList&tmpl=component&asset=&author=&folder=top/level-one

200 from drop-down:
GET http://example.com/folder/index.php?option=com_media&view=imagesList&tmpl=component&asset=61&author=849&folder=top/level-one

Issue confirmed, Up-Button in Media-Manager don't work.

[brianteeman]

weird as it works correctly for a super user

[brianteeman]

Looks like the problem is coming from here where it is not getting a value for author
https://github.com/joomla/joomla-cms/blob/staging/media/media/js/popup-imagemanager.js#L274

[Quy]

The issue is that asset and author are not set in this.setFrameUrl(search);

		/**
		 * Move up one directory
		 *
		 * @return  void
		 */
		upFolder: function ()
		{
			var path = this.folderlist.value.split('/'),
				search;

			path.pop();
			search = path.join('/');

			this.setFolder(search);
			this.setFrameUrl(search);
		},

I don't know JavaScript to update the above code to extract the asset and author values from the following:

<select id="folderlist" name="folderlist" size="1" onchange="ImageManager.setFolder(this.options[this.selectedIndex].value, 159, 433)" style="display: none;">
	<option value="">/</option>
	<option value="banners">/banners</option>
	<option value="headers">/headers</option>
	<option value="sampledata">/sampledata</option>
	<option value="sampledata/fruitshop">/sampledata/fruitshop</option>
	<option value="sampledata/parks">/sampledata/parks</option>
	<option value="sampledata/parks/animals">/sampledata/parks/animals</option>
	<option value="sampledata/parks/landscape">/sampledata/parks/landscape</option>
</select>

@DGT41 @C-Lodder Please help. Thanks.

[C-Lodder]

This is the event for the button: https://github.com/joomla/joomla-cms/blob/staging/media/media/js/popup-imagemanager.js#L56

No idea what author is supposed to do on all this and the description for the param isn't helpful:

* @param   mixed   author  Probably an integer or undefined, optional

[Quy]

author is the author of the article. It is for access check here in media.php.

$input  = JFactory::getApplication()->input;
$user   = JFactory::getUser();
$asset  = $input->get('asset');
$author = $input->get('author');

// Access check.
if (!$user->authorise('core.manage', 'com_media') && (!$asset || (!$user->authorise('core.edit', $asset)
	&& !$user->authorise('core.create', $asset)
	&& count($user->getAuthorisedCategories($asset, 'core.create')) == 0)
	&& !($user->id == $author && $user->authorise('core.edit.own', $asset))))
{
	throw new JAccessExceptionNotallowed(JText::_('JERROR_ALERTNOAUTHOR'), 403);
}

[C-Lodder]

Not sure why we need the author to click the "Up" button though. Gonna have to install J3 and test tomorrow

[Quy]

As you can see from the original report, asset and author are empty.

403 from Up button:
GET http://example.com/folder/index.php?option=com_media&view=imagesList&tmpl=component&asset=&author=&folder=top/level-one

200 from drop-down:
GET http://example.com/folder/index.php?option=com_media&view=imagesList&tmpl=component&asset=61&author=849&folder=top/level-one

[C-Lodder]

PR: #19443

[brianteeman]

Closed see #19443

[joomla-cms-bot]

Set to "closed" on behalf of @franz-wohlkoenig by The JTracker Application at issues.joomla.org/joomla-cms/16860

closed as having Pull Request #19443