• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Not a bug Attachments are not following user group permissions

Moshe1010

Well-known member
#1
If I have few private forums and users are uploading attachments to these forums, anyone can access these attachments by just browsing the /attachments/ path.

For example, I've uploaded an image to a private forum and its path is: http://www.domain.com/attachments/11853/
Then, a user that doesn't have an access to the forum that this image was uploaded to can access the image directly through his/her browser, although this user doesn't have any access to the forum this image was uploaded to.
Users can basically browse attachments from 1 to whatever and see everything they shouldn't be able to see.
 
Last edited:

Brogan

XenForo moderator
Staff member
#2
The /internal_data directory respects the permissions set in the forum so I don't see how this can be possible.

Can you post links to threads in the private forum and also the relevant attachments?
 

Mike

XenForo developer
Staff member
#3
Permissions are checked in the attachment handler. Can you send me a link to an attachment I shouldn't be able to see?

I'd also recommend confirming with an incognito browser session (not logging out) and with add-ons disabled. Attachments are fairly strongly cached so logging out may still trigger the cache.