[GH-ISSUE #553] Disable / Hide destructive actions when use_auth is false. #398

New issue

Open

opened 2026-03-02 15:58:28 +03:00 by kerem · 2 comments

kerem commented

2026-03-02 15:58:28 +03:00

Owner

Originally created by @17500mph on GitHub (May 20, 2021).
Original GitHub issue: https://github.com/prasathmani/tinyfilemanager/issues/553

Seems like TFM was showing only the three non-destructuve Actions when in $user mode or in use_auth=false.

Now I see three action icons (Preview, permalink and download) plus three placeholders that still allow access to the Delete, Rename, and, Copy to.. actions:

In screenshot: Upper vs. Lower, and see the 'delete' tool tip visible?

Ideally, I'd like to be able to login as admin but if no login, it functions as if $use_auth = false.

I don't need the login option even visible. If I use the URL, then it lets me. Otherwise it's just read only. Right now the only way I can think to do that is use two separate instances of TFM, where the URL to the one that can be logged into for admin is unpublished. Which isn't that horrible actually. But right now, the destructive Actions are still working .. and I would rather them not be. :)

Originally created by @17500mph on GitHub (May 20, 2021). Original GitHub issue: https://github.com/prasathmani/tinyfilemanager/issues/553 Seems like TFM was showing only the three non-destructuve Actions when in $user mode or in use_auth=false. Now I see three action icons (Preview, permalink and download) plus three placeholders that still allow access to the Delete, Rename, and, Copy to.. actions: In screenshot: Upper vs. Lower, and see the 'delete' tool tip visible? <img width="992" alt="Screen Shot 2021-05-20 at 01 43 58" src="https://user-images.githubusercontent.com/36385273/118948389-113f3300-b90d-11eb-8d0e-9eb9ece50eef.png"> Ideally, I'd like to be able to login as admin but if no login, it functions as if $use_auth = false. I don't need the login option even visible. If I use the URL, then it lets me. Otherwise it's just read only. Right now the only way I can think to do that is use two separate instances of TFM, where the URL to the one that can be logged into for admin is unpublished. Which isn't that horrible actually. But right now, the destructive Actions are still working .. and I would rather them not be. :)

kerem commented

2026-03-02 15:58:28 +03:00

Author

Owner

@17500mph commented on GitHub (Jun 12, 2021):

Also, want to make sure that even if the user knows the URL for a destructive function that it does not accept it if auth is false. Probably already does, but just in case it has not been tried.

...and I just tried. It does let me delete as it's still showing me the link content in the lower left of the browser as it does.

@17500mph commented on GitHub (Jun 12, 2021): Also, want to make sure that even if the user knows the URL for a destructive function that it does not accept it if auth is false. Probably already does, but just in case it has not been tried. ...and I just tried. It does let me delete as it's still showing me the link content in the lower left of the browser as it does.

kerem commented

2026-03-02 15:58:29 +03:00

Author

Owner

@17500mph commented on GitHub (Jun 13, 2021):

To replicate this use the script with $auth=true, sign in as user and then change $auth to false.

@17500mph commented on GitHub (Jun 13, 2021): To replicate this use the script with $auth=true, sign in as user and then change $auth to false.