Not a bug Attachments are not following user group permissions

Moshe1010

Well-known member
If I have few private forums and users are uploading attachments to these forums, anyone can access these attachments by just browsing the /attachments/ path.

For example, I've uploaded an image to a private forum and its path is: http://www.domain.com/attachments/11853/
Then, a user that doesn't have an access to the forum that this image was uploaded to can access the image directly through his/her browser, although this user doesn't have any access to the forum this image was uploaded to.
Users can basically browse attachments from 1 to whatever and see everything they shouldn't be able to see.
 
Last edited:

Brogan

XenForo moderator
Staff member
The /internal_data directory respects the permissions set in the forum so I don't see how this can be possible.

Can you post links to threads in the private forum and also the relevant attachments?
 

Mike

XenForo developer
Staff member
Permissions are checked in the attachment handler. Can you send me a link to an attachment I shouldn't be able to see?

I'd also recommend confirming with an incognito browser session (not logging out) and with add-ons disabled. Attachments are fairly strongly cached so logging out may still trigger the cache.
 
Top