Fixed Guests are able to open some attachments

twollert

Active member
Affected version
2.2.0
Hi,

I have set the rights for "View attachments to posts" to "No" for unregistered users.

But since I made the upgrade to 2.2 (last Monday), they can open MP3 files posted after the upgrade. Check yourself as guest:

MP3 attachment posted before the upgrade ("You must be logged-in to do that." - that's correct):


MP3 attachment posted after the upgrade (it's possible to open - wrong):


They still have no access to other file types (like JPG) posted after the upgrade.

Could you check that please?
 
Those threads are in different forums.

Check the node specific permissions for the unregistered user group for both.
 
It's not permission issue but XF 2.2.0 intentionally (I guess) stored them on /data/ directory so anyone can access it without PHP/MYSQL permission involved.
 
Check the node specific permissions for the unregistered user group for both.

The problem also occurs within the same forum.

MP3 attachment posted before the upgrade ("You must be logged-in to do that." - that's correct):


MP3 attachment posted after the upgrade (it's possible to open - that's wrong):


XF 2.2.0 intentionally (I guess) stored them on /data/ directory

Right, the attachments are being stored on /data/audio since the upgrade.
 
I checked with the developers, it's likely a regression with 2.2 so will be addressed in a future release.

Right, the attachments are being stored on /data/audio since the upgrade.
Audio and video attachments have always been stored in the /data directory.
 
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.1).

Change log:
Ensure that Attachment::getDirectUrl only returns raw display URLs when the attachment is viewable
There may be a delay before changes are rolled out to the XenForo Community.
 
Top Bottom