1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Not a Bug Attachments

Discussion in 'Resolved Bug Reports' started by RichardKYA, May 10, 2015.

  1. RichardKYA

    RichardKYA Well-Known Member

    This isn't really a bug or a question, but it is, in my eyes, a problem.

    All attachments can be viewed by anyone that is logged in very easily, including images uploaded in conversations.

    I know conversations are not "private" as such, but let's be honest, they are meant to be "private" and their function is to provide a "private" area for personal conversations.

    To the user, conversations are private is what I am saying.

    Now yes, on any site I use I would expect even my personal messages, private messages and personal conversations whatever you wanna call them, to monitored by admins/mods at some point, I would consider that fair practice even if I was uploading personal images of any nature to an assumed/applied, maybe not disclosed as private message thread/conversation, but never-the-less, messages of this kind are considered private, so if I upload an image that I only want my friend/family seeing, I wouldn't expect it to be easily viewed by anyone else. I don't mean admin/mods, I mean everyone else.

    What alerted me to this problem was an attachment link in a notification e-mail.

    I linked to image from within my e-mail and I noticed the url and wondered if changing the image number would display another image and..........................it does!

    I don't have to change anything apart the number, so I could put www.mysite.com/forum_folder/attachments/anything-i-want-here-it-doesn't-matter-i-could-put-nothing-if-wanted-as-long-i-have-jpg.9 or whatever number I wanted.

    This means, all images are accessible to anyone, at any time, even messages that are uploaded in conversations.

    If someone was that way inclined, and let's be honest again, this is the internet, so there are weirdo's, creeps, perverts, trolls, etc everywhere and all they have to do is, sit there and go through each image one by one and have no trouble accessing them at all. If I wanted to, I could sit here right now and go through all the images that have been uploaded to xenforo, I could see everyone's conversation images without any trouble whatsoever. Luckily I have better things to do.

    Considering there are probably a lot of sites that allow access to young teenagers and adults, it's alarming how easy it would be for someone to see any image that has been uploaded.

    Again, I know it's not stated that conversations are private, but come on, everyone, as in, the average user, thinks that they are and if they wanted to share an image with with friends/family only, they would upload it in a conversation as oppose to the whole forum because they would assume it is a private thing.

    Anyway, I know it's not a bug, but I think it definitely needs addressing somehow.

    Thank you :)
    whynot likes this.
  2. Jeremy P

    Jeremy P Well-Known Member

    Were you logged in as an admin by any chance? Admins can see any attachment.

    Conversation attachments aren't available to anyone unless they're a participant (or an admin).
  3. Mike

    Mike XenForo Developer Staff Member

    No, it doesn't. It means that you can see any attachment you have permission to access. There are permission checks on all attachment views.

    Conversations specifically require you to be a participant in the conversation.

    The same process is used with threads, forums, conversations, resources, media, etc...

    This is not correct, unless you're referring to the attachment browser in the control panel. Admins are subject to the same permission checks as anyone else.
  4. RichardKYA

    RichardKYA Well-Known Member

    As admin, I can see all the images, which as I said is expected.

    Before I posted yesterday, I tried a non admin/mod account and could still see the image which was in a conversation that the account I was using was not a part of. This is what lead me to "air my concern".

    After reading what Mike said...

    I ran "clean up permissions" and rebuilt the "user caches" and now, in the words of Austin Powers, "Everything seems to be in order" (y)

    Thanks guys :)
  5. Brogan

    Brogan XenForo Moderator Staff Member

    Don't you use aMember?

    I wouldn't be surprised if that is involved somehow.
  6. RichardKYA

    RichardKYA Well-Known Member

    Yeah probably :LOL:
  7. Mike

    Mike XenForo Developer Staff Member

    I suspect you were receiving the cached image in your second test.
    RichardKYA likes this.

Share This Page