The function of "Drop attachments here..." is only for root user? I'd like it could be used by all users.

I can't confirm this behavoiur. In our instance, every user can use the attachment function of the elog.
Either through "Drag&Drop" or "Browse&Upload" in the entry editor.

What do you mean by "root" user?
The elog can have serveral admin users, but this behaviour is equal for admin and non-admin users.
You should not run the elog server as user "root" of the machine for security reason, but also for issues with file permissions.

I just used my own account to test the "Drag&Drop" function in this forum ,  and it failed.  In our case, we need to upload ten more images into logbook at once, it's more effective to use "Drag&Drop" than "Browse&Upload" feature for "Browse&Upload" only can choose one attachment at once, but "Drag&Drop" can choose several attachments at once. The admin user can use this feature, but non-admin user not in our site. I did run the elog server as  user "root". I'm not sure it is related to the problem.

In my testings I didn't found this behaviour, but my collegues also reported this issue.
So I searched for the difference between my test setup and the production logbooks.

I believe the "restrict edit = 1" config option may be responsible for this behaviour.
I had the browser console running in the background and "Drag&Drop" send an XHR request,
which failed with the message: "Only user can edit this entry".
This message is tied to the "restrict edit" option as far as I know.
So I tried removing the option and upload via "Drag&Drop" started to work as intended.
This behaviour only occurs for non-admin users, as admin users are not affected by

Can you verify this?
I can verify to get the same error message in this elog forum in the browser console.

Our setup uses "Authentication=Webserver" + no automatic user registration. Thus, logbook admins should add a user by clicking "Config"  and then "New user". However, no matter what they fill in in the "new user " dialog, as soon as they hit "Save" an error pops up saying that their username (the admin one, not the new one) already exists. I found the following code:

int save_user_config(LOGBOOK * lbs, char *user, BOOL new_user)
{
   char file_name[256], str[256], *pl, user_enc[256], new_pwd[80], new_pwd2[80], smtp_host[256],
       email_addr[256], mail_from[256], mail_from_name[256], subject[256], mail_text[2000], str2[256],
       admin_user[80], url[256], error[2000], sid[32];
   int i, self_register, code, first_user;
   PMXML_NODE node, subnode, npwd; 

   /* if we outsourced the authentication, use external username */
   getcfg(lbs->name, "Authentication", str, sizeof(str));
   if (stristr(str, "Webserver")) {
      /* do not allow HTML in user name */
      strencode2(user_enc, http_user, sizeof(user_enc));
   } else {
      strencode2(user_enc, user, sizeof(user_enc));
   }
 

which seems to be the culprit:  the admin user is logged using his/her Webserver (http_user) credentials and this overrides anything that he/she might fill in.  If I remove the "Authentication" check then I can create a new user without problems.  So, how to fix this? should the "Authentication=Webserver" check be extended with a self/auto registration check?