1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Fixed member able to bypass attachment limit (when dragging files into the editor)

Discussion in 'Resolved Bug Reports' started by Mr Lucky, Oct 5, 2016.

  1. Mr Lucky

    Mr Lucky Well-Known Member

    I had max attachments in messages set to 5, but a member managed to make a post with 16 attachments.

    I then reset the options to 2, and tested it I was only able to upload 2 in a test message.

    Is there some setting elsewhere that could have overridden this?
    Pierce likes this.
  2. Tracy Perry

    Tracy Perry Well-Known Member

    Have you checked to see if the message was edited and additional images added to it each time? I'm not sure if the limit is applied for edits if there are already existing images in it.
  3. SneakyDave

    SneakyDave Well-Known Member

    Is this person part of another usergroup that may have elevated attachment privileges?
  4. Digital Doctor

    Digital Doctor Well-Known Member

    Locally hosted ?
  5. Martok

    Martok Well-Known Member

    User group permissions only determine whether or not a user can upload attachments. The number of attachments in a post is a global option in Options > Attachments.
  6. Mr Lucky

    Mr Lucky Well-Known Member

    The message was not edited, however if it was then you should still get an error message when trying to exceed the limit, ie editing is not a method that can bypass the rules set.

    There are no elevated attachment privileges related to number of attachments in a post. Usergroup permissions do not cover number of attachments. Well I can't find any such permission anyway but I'm asking in case there could be something lurking elsewhere that might override what is in Options > Attachments

    I'm not quite sure what you mean. I was under the impression that all attachments go into your xenforo attachment folder (data or internal data)

    yes, this is exactly why I am confused as I'm not aware of any other place there could be such a permission. My test member with exact same usergroups cannot exceed the limit so I am quite perplexed about how this happened.

    The post contains nothing but uploaded attachments

  7. Martok

    Martok Well-Known Member

    Do you have any add-ons that may affect posts and/or attachments in some way?
  8. Mr Lucky

    Mr Lucky Well-Known Member

    No, but so far I have not been able to reproduce the issue, so even disabling all addons isn't going to tell me anything.

    I have tried a test member same usergroups, attempted to upload more after edit, tried drag and drop and it is all working as expected - the error notice pops up when it should.
  9. Chris D

    Chris D XenForo Developer Staff Member

    Are all of these attachments actually visible inside the post (either by thumbnail or the full image) or are some of them merely a link e.g. "View attachment 79566"
  10. Mr Lucky

    Mr Lucky Well-Known Member

    Last edited: Oct 6, 2016
  11. Chris D

    Chris D XenForo Developer Staff Member

    As far as I can work out, the only way this might have happened is if the user posted several posts with the attachments and then a moderator came along and merged them together. That would be logged in the "Moderator Actions" log though in the Thread Tools.
  12. Mr Lucky

    Mr Lucky Well-Known Member

    Just checked, nothing in the moderator log re: that thread at all.
  13. Chris D

    Chris D XenForo Developer Staff Member

    But it's not something you've been able to reproduce since?

    Presumably you can't upload more than X images when creating the post, but what if you save the message, edit (and then go to More Options) and then try to add more, does that allow them through? (It shouldn't, and doesn't in my testing). That said, if it was done this way then the post would have a "History" link assuming you have post edit history enabled.
  14. Mr Lucky

    Mr Lucky Well-Known Member

    I tried that in my testing. As expected I could not upload beyond the limit when editing (which is of course the way it should be)

    The post has no edit history.

    I am going to test again on my test installation with a database from before the post, and log in as that actual member to see what happens.
  15. Chris D

    Chris D XenForo Developer Staff Member

    Good plan.
  16. Martok

    Martok Well-Known Member

    Though doesn't Post Edit history only kick in after 5 minutes (so in theory you can edit a post multiple times in that window and it now show in history)?
  17. Mr Lucky

    Mr Lucky Well-Known Member

    I'll test that

    EDIT: I have edited this post immediately. Is there a history?
  18. Digital Doctor

    Digital Doctor Well-Known Member

  19. Chris D

    Chris D XenForo Developer Staff Member

    No. Post edit history is always logged, regardless.

    The "Last edited by..." only appears after 5 minutes.
    Martok likes this.
  20. Mr Lucky

    Mr Lucky Well-Known Member

    Success, I can reproduce it. On my live site with max images set to 2.

    It is necessary to drag and drop the files in one go. I did this with eight images and got the error. I just dismissed this error and hit the post reply button and the reply appeared with 6 images:

    I then did a second test, and did not even get the error.

    SneakyDave and ozzy47 like this.

Share This Page