Here is the diagnostic (using version 2005-07-13 on linux/gentoo) :
- Using an admin user, i can upload an image in my namespace (normal : admin rights are checked before user ones in auth.php)
- Using a normal user, which is part of a group, i've got no right to upload an image in my namespace, despites ACLs are well defined.
User in conf/users.auth.php is part of group "myapp":
I've got a page named "myapp" (doku.php?id=myapp) which points on many pages in a namespace called "myapp:*" (doku.php?id=myapp:scheduler for example).
ACL in conf/acl.auth.php on is :
myapp:* @myapp 16
myapp:* myapp 1
myapp:* @ALL 0
myapp @ALL 0
myapp myapp 1
myapp @myapp 2
So, group "myapp" has restricted rights on the myapp index page, but has all rights on the pages included in the namespace.
When trying to upload an image, my user tries to upload it in the namespace "myapp", but he only has the right "2", so he can only edit the page but not upload images on this page. He should have right of "16", because uploading deals with namespaces and not pages.
The mismatch is in auth.php : when opening the "media.php" popup, it check the user rights :
$matches = preg_grep('/^'.$id.'\\s+('.$regexp.')\\s+/',$AUTH_ACL);
This does check $id (= "myapp:*") against the ACLs. But "myapp" (without the ":*" also matches because "*" is not escaped). So my users is assigned the "myapp" page rights instead "myapp" namespace rights. So he has no right to upload its image.
When escaping the ":*", my user receives the namespace rights, and can upload its image.
By escaping, i mean replacing the line by:
$matches = preg_grep('/^'.str_replace(':*',':\\\\*',$id).'\\s+('.$regexp.')\\s+/',$AUTH_ACL);
I think that should fit better the use of rights, because upload rights can be assigned on namespaces but not on pages.