Design issue Attached images in private conversations don't show for moderators in reports

boeing747

Active member
Hi,

If someone send an image through private conversation and other participant reports the message, moderators wont see that image in report. the report is empty, also if reporter sends the URL of that attached image as comment of his report moderators dont have access to that image(s)

It says: You do not have permission to view this page or perform this action
 
Unfortunately, this is a general limitation. It would apply in any situation where you can't see the original content in its normal location; it's only visible because it has been reported. When you try to view the attachment, we check your ability to view the conversation in question. Without this, attachments in conversations wouldn't be private.

Note that if it can be identified, the attachment would be viewable in the ACP via the attachment browser.

I don't currently see a great solution to this. I'm going to keep this open for now, but I suspect this will be labelled a "design issue".
 
Does this limitation also apply to reports from forums the moderator can't read? I would expect that a moderator unable to view the content should not be able to read the report. Therefore, maybe moderators who can view a report can be considered to be added as participants in the conversation (added by the person who reported the content)? Since people in the conversation would be able to see the attachment.
 
I've implemented this in v1.5.0 of my (free) report improvements add-on.

It generates per attachment per user links which are work for upto an 30 minutes. This isn't the best solution, but it uses internal state the user should not have access to, a future version will generate & store the key cache, and if then check against that on attachment view.
 
I've been looking into this as part of an Attachment Gallery project. The gallery will allow users to view all their attachments, upload new ones and delete existing ones. What registered members won't know is admins can view their galleries too, though of course they can already see all attachments in the Attachment Browser. Anyway I want content links for each image posted in posts and conversations, and links are available in the attachment model class but only for posts; conversation links are forbidden for everyone. Here's the code from XenForo/AttachmentHandler/ConversationMessage.php:

PHP:
    /**
     * @see XenForo_AttachmentHandler_Abstract::getContentLink()
     */
    public function getContentLink(array $attachment, array $extraParams = array(), $skipPrepend = false)
    {
        return false;

        $extraParams = array_merge(array(
            'message_id' => $attachment['content_id']
        ), $extraParams);

        return parent::getContentLink($attachment, $extraParams, $skipPrepend);
    }

By extending the class and overriding this method, I can let members see their own conversations. Of course general viewing permissions will prevent admins from seeing the conversations. I'll use perms to prevent links from being generated in the first place.
 
Top Bottom