1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Not a Bug Attachments are not following user group permissions

Discussion in 'Resolved Bug Reports' started by Moshe1010, Aug 5, 2013.

  1. Moshe1010

    Moshe1010 Well-Known Member

    If I have few private forums and users are uploading attachments to these forums, anyone can access these attachments by just browsing the /attachments/ path.

    For example, I've uploaded an image to a private forum and its path is: http://www.domain.com/attachments/11853/
    Then, a user that doesn't have an access to the forum that this image was uploaded to can access the image directly through his/her browser, although this user doesn't have any access to the forum this image was uploaded to.
    Users can basically browse attachments from 1 to whatever and see everything they shouldn't be able to see.
     
    Last edited: Aug 5, 2013
  2. Brogan

    Brogan XenForo Moderator Staff Member

    The /internal_data directory respects the permissions set in the forum so I don't see how this can be possible.

    Can you post links to threads in the private forum and also the relevant attachments?
     
  3. Mike

    Mike XenForo Developer Staff Member

    Permissions are checked in the attachment handler. Can you send me a link to an attachment I shouldn't be able to see?

    I'd also recommend confirming with an incognito browser session (not logging out) and with add-ons disabled. Attachments are fairly strongly cached so logging out may still trigger the cache.
     
  4. Mike

    Mike XenForo Developer Staff Member

    Looks to be an add-on (not sure which yet).
     
  5. Moshe1010

    Moshe1010 Well-Known Member

    Will report later, thank you!
     
  6. Moshe1010

    Moshe1010 Well-Known Member

Share This Page