From 5e56af9c9da77a98645c54166d83589db322354f Mon Sep 17 00:00:00 2001 From: Rick Pasetto Date: Thu, 5 Nov 2009 11:07:03 -0800 Subject: FIX DEV-42115: Remove modify permission check that would grant navigate/interact or controls "permission" Review #27 Back when media controls (an unfortunately much-overloaded word) was called media permission (also an overloaded word), we granted "permission" for interact/navigate or controls "display" if the requestor agent had modify permissions. This decision doesn't seem to make sense, because it is a common use case to want to "disable" controls (or perhaps interaction/navigate) even for the user who created the object (i.e. who has modify permissions). This removes that check. NOTE that this check is also made on the server, but in that case modify permissions *grants* the right to navigate in that case. Although the code is very similar, the viewer version is trying to address a use case story, whereas the other is trying to prevent a griefing vector. --- indra/newview/llvovolume.cpp | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) (limited to 'indra/newview/llvovolume.cpp') diff --git a/indra/newview/llvovolume.cpp b/indra/newview/llvovolume.cpp index 1d94e9118e..caeda3d1db 100644 --- a/indra/newview/llvovolume.cpp +++ b/indra/newview/llvovolume.cpp @@ -1796,20 +1796,19 @@ void LLVOVolume::mediaNavigateBounceBack(U8 texture_index) bool LLVOVolume::hasMediaPermission(const LLMediaEntry* media_entry, MediaPermType perm_type) { - // NOTE: This logic duplicates the logic in the server (in particular, in llmediaservice.cpp). + // NOTE: This logic ALMOST duplicates the logic in the server (in particular, in llmediaservice.cpp). if (NULL == media_entry ) return false; // XXX should we assert here? - // The agent has permissions to navigate if: - // - agent has edit permissions, or + // The agent has permissions if: // - world permissions are on, or // - group permissions are on, and agent_id is in the group, or // - agent permissions are on, and agent_id is the owner - if (permModify()) - { - return true; - } - + // *NOTE: We *used* to check for modify permissions here (i.e. permissions were + // granted if permModify() was true). However, this doesn't make sense in the + // viewer: we don't want to show controls or allow interaction if the author + // has deemed it so. See DEV-42115. + U8 media_perms = (perm_type == MEDIA_PERM_INTERACT) ? media_entry->getPermsInteract() : media_entry->getPermsControl(); // World permissions -- cgit v1.2.3