XF 1.5 Post attachments always show when URL known

[John Stone]

I didn't want to post this in bugs until I get a confirmation that it's not a settings issue.

I run a health and fitness site, and some members are very sensitive about their progress pictures. As such, I have some private forums that only a small group of users can access. Unfortunately I just discovered that if the exact URL is known, anyone can view an attached image that has been posted to a private forum. This should definitely not be possible when the image is sitting in a forum that someone would otherwise not have access to.

Here's an example: http://forums.johnstonefitness.com/data/attachments/26/26399-a38143f1c58780acd20fdc302226b307.jpg

That image is in a locked down forum.

 

[Chris D]

Full size attachments are protected by permissions. Attachments are only available by a programmatic link which runs through the various permission and content checks required before showing an image.

The image in your example is a thumbnail. These are merely files that are on the file system and there's no programmatic way of checking permissions in this case. They are, however, only ever saved with an obfuscated URL which would be near impossible to randomly guess.

One could argue this is a bug or a security issue, however, for the most part if you know the thumbnail URL then you likely have access to the original image anyway. If one was so inclined, there would be nothing to prevent them from downloading that image and keeping it or providing access to others who don't have permission.

 

[John Stone]

Thanks, Chris. Ideally the thumbnails would not be accessible and protected by permissions, but you made a couple of good points.