It does not make sense from a security and privacy standpoint to let in the frontend user A view files from user B.
Creating a separate upload directory for every user would be a nightmare. Strange there is no build in variable for this when in the database there is a field to identify the user as you mentioned. I wonder how others solved this.
I am guessing that EE File Manager has not been given any significant attention for a long time - these issues were probably present in EE2. The lack of function and attention possibly explains why P+T developed Assets (and then Craft) … and why things like Assets are still viable add-ons today.
Statements various from PacketTide have indicated that they are aware of the deficiencies and that a do-over for File is on the radar, but what the timeline for this is unclear.
I don’t have a recent copy of Assets to look at and the documentation for that does not have any information about the CP UI … so I don’t know if member limited search / view is possible in that add-on, but if not then unless there is some other file manager add-on around with that function I suspect that only option would be for someone to write a ‘safe’ version of the File manager as a separate add-on - since it is not currently possible to make changes to CP behaviour via add-ons.
Given PacketTide’s declaration of their intent to do-over File in the future, I’m not sure how attractive a safe File Manager add-on would be for a developer to get into - am guessing that would be hard to justify the time / energy involved only to see the product made unnecessary soon after.
This is indeed strange. I never used the file uploading features before, still trying to get them to work as they should but based on this I think it can completely be discarded until they fix this. This is probably not a bug, since it was never a feature to begin with.
The database has indeed a field called “uploaded_by_member_id” and as you claimed the ID is identifiable for each file per user.
It just does not make sense not to have an EE tag variable to restrict file manipulation per member.
I cannot imagine how this can be useful for almost any sort of website that has membership without it. Imagine a page that lets users upload their own documents. Or a form on which users upload any sort of files, even if not sensitive. Nobody in their sane mind would enable this feature if users can manipulate others people files.
Since the entry does exist in the database, sure, you could add some hook or PHP to check that, but personally I don’t think extra code or add-ons should be required for something this critical on a CMS in 2021. It should be a native functionality out of the box.
Some might not even be aware of this and enable it on a page, creating a security issue without being aware.
Packet Tide owns and develops ExpressionEngine. © Packet Tide, All Rights Reserved.