Fixed Guests are able to open some attachments

[twollert]

Affected version

2.2.0

Hi,

I have set the rights for "View attachments to posts" to "No" for unregistered users.

But since I made the upgrade to 2.2 (last Monday), they can open MP3 files posted after the upgrade. Check yourself as guest:

MP3 attachment posted before the upgrade ("You must be logged-in to do that." - that's correct):

Pannen über Pannen! ...am besten alle hier rein!

Ich hätte da auch noch den jungen aufstrebenden Sender "Toggo Radio", der am vergangenen Donnerstag ganze 15 Minuten das Wort "Datenbereich" gesendet hat. Die Bestätigung für Alle, die meinen es gäbe zu wenig Abwechslung im privaten Rundfunk ;)

www.radioforen.de

MP3 attachment posted after the upgrade (it's possible to open - wrong):

[OT] Forensplitter

Ich weiß, der Threadtitel klingt etwas verworren. Aber ich weiß wirklich nicht, in welchen bestehenden Thread, nicht Treat, ich mein Anliegen posten soll. Geschlossene Threads sind auch nicht hilfreich. Andererseits kann man bestimmte Dinge nicht einfach "unter den Tisch fallen lassen", nur weil...

www.radioforen.de

They still have no access to other file types (like JPG) posted after the upgrade.

Could you check that please?

 

[Paul B]

Those threads are in different forums.

Check the node specific permissions for the unregistered user group for both.

 

[rdn]

It's not permission issue but XF 2.2.0 intentionally (I guess) stored them on /data/ directory so anyone can access it without PHP/MYSQL permission involved.

 

[twollert]

Check the node specific permissions for the unregistered user group for both.

The problem also occurs within the same forum.

MP3 attachment posted before the upgrade ("You must be logged-in to do that." - that's correct):

Pannen über Pannen! ...am besten alle hier rein!

Ich hätte da auch noch den jungen aufstrebenden Sender "Toggo Radio", der am vergangenen Donnerstag ganze 15 Minuten das Wort "Datenbereich" gesendet hat. Die Bestätigung für Alle, die meinen es gäbe zu wenig Abwechslung im privaten Rundfunk ;)

www.radioforen.de

MP3 attachment posted after the upgrade (it's possible to open - that's wrong):

DAB+: Der zweite Bundesmux

Heute scheint es auch bei allen Absolut-Sendern mit Slideshow und Text zu funktionieren. Aber: Bei HOT stehen auf der Website in der Playlist noch die Programmelemente wie Jingles, Drop-Ins, Hook-Promos etc. Im Radiotext wird zudem immer angezeigt, was als nächstes kommt - also auch die Drops...

www.radioforen.de

XF 2.2.0 intentionally (I guess) stored them on /data/ directory

Right, the attachments are being stored on /data/audio since the upgrade.

 

[Paul B]

I checked with the developers, it's likely a regression with 2.2 so will be addressed in a future release.

Right, the attachments are being stored on /data/audio since the upgrade.

Audio and video attachments have always been stored in the /data directory.

 

[twollert]

Audio and video attachments have always been stored in the /data directory.

Yes, but the "audio" folder used in that directory is new.

 

[XF Bug Bot]

Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.1).

Change log:

Ensure that Attachment::getDirectUrl only returns raw display URLs when the attachment is viewable

There may be a delay before changes are rolled out to the XenForo Community.