XF 2.2 Image / Attachment Permissions in Private Message Conversations

ProCom

ProCom

Well-known member
I've had multiple members report this and I've been able to duplicate it.

Expected Behavior:
When an image is uploaded to a private message conversation, if that image URL is copied and pasted externally, it will not be visible to anyone who doesn't have proper permissions that image.

Unexpected Behavior:
An images uploaded to a private message conversation, and then that image can be viewed externally by anyone.

Troubleshooting:
  1. Start a private message conversation
  2. Upload an image to the conversation
  3. Right click on the image and copy URL
  4. In an incognito browser window or another browser that is not logged in, enter the image URL to view the image.
  5. Expected Behavior: I should receive an error that you can't view the image
  6. Current behavior: the image is visible and proper permissions are not working
We've used the steps above on other installations of xenforo, and the process works as expected, but on one of our sites it is not working properly and permissions are not maintained as expected.

We've gone through any and all add-ons that we suspect might be directly or tangently related to attachments and disable them, and then gone through the troubleshooting process again, but the unexpected Behavior persists.

Are there any other suggested troubleshooting and processes we can try to figure out the cause of the problem... and a potential fix?
 
Sort by date Sort by votes
Can you reproduce it here or on a demo?
I suspect not as no-one outside the conversation has permission to view any attachments within it.

Do you have any third party add-ons installed?
 
Upvote 0 Downvote
@Brogan thanks for the quick reply!

Brogan said:
Can you reproduce it here or on a demo?
Click to expand...
I cannot produce the problem on any of my other sites (that are on a different server) or here, etc is definitely isolated to that specific site, and is caused by either a server software, add-on, or similar that is specific to that site.

Brogan said:
I suspect not as no-one outside the conversation has permission to view any attachments within it.
Click to expand...
Correct. We also found that this is extending beyond just PM conversations, and is also happening with attachments in threads that shouldn't be viewable to anyone outside of that group... Yet the permissions are not being carried properly.

Brogan said:
Do you have any third party add-ons installed?
Click to expand...
Unfortunately, many. We've gone through and disabled a handful that are directly and tangently related to attachments, but it didn't make a difference.

I guess we could try disabling all add-ons... I wish there was a way to do that with one button click :(

I'm guessing that would be your suggestion on Next Step would be to disable all add-ons and see if the problem persists?
 
Upvote 0 Downvote
Brogan said:
There is.

1683660115513.png
Click to expand...
omg, I feel so dumb for not noticing that. thank you!

(I'm assuming there is an "enable all" option, and that they would need to be re-enabled one by one?)
Brogan said:
Can you provide a URL to an attachment from a conversation or thread which guests don't have access to.
Click to expand...
Yup, I'll send you a PM. :)

One additional piece of information: it seems like the start happening about a year ago, so it seems to be related to something during the upload process since it is not across all images, but ones uploaded since a specific time.

... Unfortunately I don't have any records of what might have been changed back then.
 
Upvote 0 Downvote
I waited until the weeee hours of the night, put the site into maint. mode, and disabled all addons.

I went through the troubleshooting steps, and unfortunately the problem persists. I upload an image to a PM, copy the image URL, and paste it into either an incognito window or a different (non-logged-in) browser, and I can see the image :(

Any other ideas or suggestions?
 
Upvote 0 Downvote
Update: Fixed!

Yup, that did the trick!

We disabled the 2 cloudflare cache page rules, and purged the cache.

Private message images are no longer visible to guests, etc.
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

C
send a private message/conversation after number of posts
Replies
0
Views
259
cosmindan08
C
D
  • Question Question
XF 1.4 Private message / conversation alert pop up notification box
Replies
4
Views
895
Paul B
Paul B
swatme
  • Suggestion Suggestion
Lack of interest [suggestion] Private message/conversation link from post
Replies
5
Views
651
swatme
swatme
Top Bottom