XF 1.3 Images in signatures: permissions problem?

Wildcat Media

Well-known member
On ALL usergroups on our forum, I have the Images in Signatures permissions set to "Not Set (no)". Yet today, we found a member who had used [img ] tags to insert two images.

Am I missing something here?

I don't want to use "Never" on the Registered group since, in the future, we may want to give staff the ability to use some sort of avatar or small icon in their signatures. But if that is the only way to enable this, I may enact this in the Registered group so there is no chance of it being overridden.

upload_2014-9-17_15-44-34.webp
 
Use the analyze permissions function to determine how the final value is being set.
If they are members of other user groups which have Allow set, that will overrider Not Set (No).

Also, note that any existing signatures aren't affected by permission changes.
They apply from that point on only, for new or changed signatures.
 
We've had the same permissions since I set up XF in November 2012, and this is an active member. That is why it is puzzling me that he was able to insert these as [img ] bbcode.

Here's what the "analyze permissions" shows me for this member:

upload_2014-9-17_15-52-17.webp

I am wondering if this is somehow covered under a different permission? I haven't tried it, but I am wondering if it is possible to paste an image into the editor, and it is somehow circumventing it that way (just a wild guess at this point).

I may have to experiment later to see how he might have done it.
 
It shouldn't be possible to paste an image if the permission isn't set.

Can you check the user change log to see when it was changed?

It's possible the signature was there for a long time, before the signature permissions were introduced.
 
I only show that he changed something else in his profile (one of our custom fields) once in the past.

However, is there a way to purge the logs? I don't recall ever doing so, but that might be why nothing else shows. I also forgot that some of the signature permissions are newer. That is the only explanation I can think of--perhaps it was added early on. But he's a frequent enough member that I would have thought someone would have reported it by now.
 
Ah OK, ours is set like this:

upload_2014-9-17_16-5-19.webp

I am reluctant to keep things indefinitely, but might bump that up to a year or two. As much activity as we have (up to 1500 online during peak hours), I don't want to keep too much hanging around in the database.

I'm going to bet he snuck those images in there before the new signature permissions came into play. (Although I swore I had some CSS code that blocked images in the signature block...I may have removed it due to the new permissions.)

Thanks much, it's making a bit more sense now!
 
That's my thought also. I may have inadvertently re-enabled them when I cleaned up CSS awhile back.

I already have opacity on the signatures set so they are a bit lighter than the rest of the message text. It's slight, but IMHO it helps readability.
 
Top Bottom