Not a bug Attachments are not following user group permissions

Moshe1010

Moshe1010

Well-known member
If I have few private forums and users are uploading attachments to these forums, anyone can access these attachments by just browsing the /attachments/ path.

For example, I've uploaded an image to a private forum and its path is: http://www.domain.com/attachments/11853/
Then, a user that doesn't have an access to the forum that this image was uploaded to can access the image directly through his/her browser, although this user doesn't have any access to the forum this image was uploaded to.
Users can basically browse attachments from 1 to whatever and see everything they shouldn't be able to see.
 
Last edited:
The /internal_data directory respects the permissions set in the forum so I don't see how this can be possible.

Can you post links to threads in the private forum and also the relevant attachments?
 
Permissions are checked in the attachment handler. Can you send me a link to an attachment I shouldn't be able to see?

I'd also recommend confirming with an incognito browser session (not logging out) and with add-ons disabled. Attachments are fairly strongly cached so logging out may still trigger the cache.
 

Similar threads

Katsuro
Image attachments are not visible in custom terms and rules thread if forced to re-read terms
Replies
1
Views
61
pegasus
pegasus
Chris D
Fixed Watch Forum functionality not following user preferences
Replies
15
Views
2K
Mike
Mike
Adam Howard
Future fix attachments are not deleted
2
Replies
32
Views
16K
FTL
FTL
Back
Top Bottom