MG 2.1 Bypassing view media settings
- Thread starter ivp
- Start date
I've just looked at the code and that is impossible as it stands.
You can only use the
Case in point, I just uploaded an image to a private album.
You shouldn't be able to access this:
And you shouldn't be able to access this:
If the behaviour is different on your own forum then we may need you to submit a ticket for us to investigate in-place on your forum but I have significant doubts based on what I've seen so far.
The only thing I could see as a possibility is if an add-on is involved and it is overriding something it shouldn't be.
Incidentally, if you can reproduce this consistently, can you reproduce this with attachments added to a private forum? Or attachments added to a conversation?
You can only use the
hash parameter to view an attachment before it is associated with its content. And even then, the hash has to exactly match the temp_hash column in the xf_attachment table.Case in point, I just uploaded an image to a private album.
You shouldn't be able to access this:
And you shouldn't be able to access this:
If the behaviour is different on your own forum then we may need you to submit a ticket for us to investigate in-place on your forum but I have significant doubts based on what I've seen so far.
The only thing I could see as a possibility is if an add-on is involved and it is overriding something it shouldn't be.
Incidentally, if you can reproduce this consistently, can you reproduce this with attachments added to a private forum? Or attachments added to a conversation?
Just figured out this is not Media Gallery related, but Xenforo itself.
Hash value in my message is just an example and it cannot be reused.
Just noticed this behavior on our forum, because such URL is reported to us.
Don't have a clue how the user formed such URL.
Hash value in my message is just an example and it cannot be reused.
Just noticed this behavior on our forum, because such URL is reported to us.
Don't have a clue how the user formed such URL.
Just to emphasize this part: what you're reporting would probably indicate that the attachment hasn't actually been "attached" to specific content yet, so there aren't actually permissions to apply. Thus, the hash is needed to view the content. The hash is only available to the user in question and it only applies until that content "attachment" happens (such as when a reply is submitted, in the case of a post attachment). If that doesn't happen, the file would be removed (after 24 hours I believe).
So what you're reporting essentially requires the user that uploaded the attachment to directly share the temporary link themselves.
It is accessible to the author only as only the person who uploaded the file sees the link which contains the hash which gives access.
Attachments don't really have a concept of tracking who it is being attached by or who the author of the content is until it is associated. Once it is associated with some content we know who the author is or who should be allowed to view it.
Given everything we've said so far, do you have a practical example of how the current approach is problematic for you?
Attachments don't really have a concept of tracking who it is being attached by or who the author of the content is until it is associated. Once it is associated with some content we know who the author is or who should be allowed to view it.
Given everything we've said so far, do you have a practical example of how the current approach is problematic for you?
We are using MG as a private image hosting, forcing users to specifically allow who will see their photo, for their own protection.
This user found a way to bypass view media settings and provide a link to its photos to anybody.
Such direct link to photo does not provide Xenforo interface, i.e. does not have "Report" link, which allows users to report abuse such as uploading sexually explicit photos.
This user found a way to bypass view media settings and provide a link to its photos to anybody.
Such direct link to photo does not provide Xenforo interface, i.e. does not have "Report" link, which allows users to report abuse such as uploading sexually explicit photos.
Similar threads
- Question
- Question
