Affects Version/s: 6.2.10 EE GA1, 6.2.X EE
The image browser in CKEditor is set to the root by default. If the user doesn't have permission to view Sites in the Control Panel, which can only be granted to a global role (e.g., Control Panel -> Users -> Roles -> Define Permissions on a Global Role -> Sites -> General -> Access in Control Panel), a user cannot add images to web content in his site, no matter what Site Role permissions he has. To fix this, the CKEditor file browser should be set to the current site as a default location.
We have this scenario in training, and it must be a common one. We grant a user, Space Writer, a Site Web Content Writer role, which is intended to allow that user to enter and edit web content (including images) in one site only. We give that user appropriate rights in the site role to enter Web Content and to upload Documents and Media. The user can then add web content, but whenever he tries to insert an image using the CKEditor file browser, he gets an alert dialog with this error:
The server didn't reply with a proper XML data. Please check your configuration.
(BTW, it would also be nice if we could customize that error message. Though it comes from a 3rd party product, it looks pretty awful, like it's coming from Liferay.)
Doing a Google search for this revealed that this is the error CKEditor displays when it doesn't have access to the directory the user is supposed to be browsing. This clued me in to the fact that we had a permissions issue.
The only way to fix it was to enable a global role (we picked the Power User role) to view Sites in the Control Panel (a permission that's not available in a Site Role). The only reason we have to do this is because the CKEditor browser defaults to browsing the root list of sites, rather than the content of the current site the user is on. It seems to me that the user would already have permission to browse that content via permissions granted to Documents and Media in the Site Role, if the browser defaulted to browsing within the current site. It also seems to me that this goes against the intent of dividing the Dockbar Site Administration tools from the Control Panel.
It's nonintuitive in this instance to have to grant the user another, global, role that grants him access to browse his current site, simply so that he can browse to that site (an extra click) and enter images for his web content. For this reason, I think we should change the CKEditor default to browse within the current site.