Not a bug Attachments

RichardKYA

Well-known member
This isn't really a bug or a question, but it is, in my eyes, a problem.

All attachments can be viewed by anyone that is logged in very easily, including images uploaded in conversations.

I know conversations are not "private" as such, but let's be honest, they are meant to be "private" and their function is to provide a "private" area for personal conversations.

To the user, conversations are private is what I am saying.

Now yes, on any site I use I would expect even my personal messages, private messages and personal conversations whatever you wanna call them, to monitored by admins/mods at some point, I would consider that fair practice even if I was uploading personal images of any nature to an assumed/applied, maybe not disclosed as private message thread/conversation, but never-the-less, messages of this kind are considered private, so if I upload an image that I only want my friend/family seeing, I wouldn't expect it to be easily viewed by anyone else. I don't mean admin/mods, I mean everyone else.

What alerted me to this problem was an attachment link in a notification e-mail.

I linked to image from within my e-mail and I noticed the url and wondered if changing the image number would display another image and..........................it does!

I don't have to change anything apart the number, so I could put www.mysite.com/forum_folder/attachments/anything-i-want-here-it-doesn't-matter-i-could-put-nothing-if-wanted-as-long-i-have-jpg.9 or whatever number I wanted.

This means, all images are accessible to anyone, at any time, even messages that are uploaded in conversations.

If someone was that way inclined, and let's be honest again, this is the internet, so there are weirdo's, creeps, perverts, trolls, etc everywhere and all they have to do is, sit there and go through each image one by one and have no trouble accessing them at all. If I wanted to, I could sit here right now and go through all the images that have been uploaded to xenforo, I could see everyone's conversation images without any trouble whatsoever. Luckily I have better things to do.

Considering there are probably a lot of sites that allow access to young teenagers and adults, it's alarming how easy it would be for someone to see any image that has been uploaded.

Again, I know it's not stated that conversations are private, but come on, everyone, as in, the average user, thinks that they are and if they wanted to share an image with with friends/family only, they would upload it in a conversation as oppose to the whole forum because they would assume it is a private thing.

Anyway, I know it's not a bug, but I think it definitely needs addressing somehow.

Thank you :)
 
Were you logged in as an admin by any chance? Admins can see any attachment.

Conversation attachments aren't available to anyone unless they're a participant (or an admin).
 
This means, all images are accessible to anyone, at any time, even messages that are uploaded in conversations.
No, it doesn't. It means that you can see any attachment you have permission to access. There are permission checks on all attachment views.

Conversations specifically require you to be a participant in the conversation.

The same process is used with threads, forums, conversations, resources, media, etc...

Admins can see any attachment.
This is not correct, unless you're referring to the attachment browser in the control panel. Admins are subject to the same permission checks as anyone else.
 
As admin, I can see all the images, which as I said is expected.

Before I posted yesterday, I tried a non admin/mod account and could still see the image which was in a conversation that the account I was using was not a part of. This is what lead me to "air my concern".

After reading what Mike said...

There are permission checks on all attachment views.

I ran "clean up permissions" and rebuilt the "user caches" and now, in the words of Austin Powers, "Everything seems to be in order" (y)

Thanks guys :)
 
Top Bottom