View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0005398||Simple:Press||uploading||public||2016-04-10 16:14||2018-06-09 23:29|
|Reporter||Yellow Swordfish||Assigned To|
|Priority||normal||Severity||N/A||Reproducibility||have not tried|
|Target Version||Future Release||Fixed in Version|
|Summary||0005398: Allow for secure download of attachment files|
|Description||At the moment anyone can download an attachment if they know the url - and that is available in posts...|
User has requested to secure this so that it is not as open.
Might be able to use my existing download manager script to grab the url from the post attachments table. This would allow for user checking.
Worth looking into anyway.
|Tags||No tags attached.|
|change_log_text||Allow for secure download of attachment files|
Here is the suggestion:
Attachments sit in the postattachments table. And they have an ID.
So - on posts when we display the little attachments listing with a link to the actual item, we instead use a php file with the ID passed as a query variable - just like the download stuff I wrote that we use now - only without the admin end clutter.
When someone clicks on that url we do what we do in the downloads manager now. Check they are logged in and if so - allow the download.
What do you say?
not a big fan of this one, yet fully understand why folks want it...
but why check if logged in? seems like there should be some sort of permissions check in there... at least see if they can view the forum in some manner... didnt you just do a ticket to add specific permissions for viewing uploads? if so, seems like those should be used... dont think logged in equals secure...
and how are you going to deal with the image display vs the attachments link? the straight url to the file can be gotten by inspecting the viewed image... and can then still be grabbed 'unsecurely'... they had to know the url before and they can still know the url now and go directly to it...
I did mean a full permission check.
Yes - you're right about the url aren't you. I am getting too fanciful here in my dotage! The core url can still be passed to someone who has no access which would allow them to see it.
Although, someone who wanted that level of security would presumably disallow that sort of access would they not?
I was thinking on attachment downloads yesterday... struggle with the point if its not really helping... was the issue with images and media? or with files? regarding the first two, this doesn't do much... yes it obfuscates the url in the attachments section, but if I can see that, I can see the image/media and still get a direct link to it... so don't really see any value... on the other hand, it does make sense for files... files are not shown in the code - only with a link in the attachments section... so using a php download url does protect the file location and access to it....
so basically I see no value on images and media and wouldn't waste my time... but when combined with the new attachments permissions, I do see value... it can protect it even if the url gets out with the permission check.... So my recommendation is implement it for files only... which, btw (though far from convincing), the mantis ticket is written against attachment files...
Image and media files ARE 'attachment files'. That is how we class them.
I am not going to labour this as part of me agrees with you but you did ignore my question regarding the user securing those items server-side.
The one I recall where this question came up was someone offering training via their own created videos and course material. Whether that should be done via a forum is perhaps questionable but they were. And they wanted to stop people grabbing the url of the files AND videos - and then passing it to others to download them without paying the course costs. While allowing their paid-up and logged in users to do so via the forum itself.
If this can not be done via the twin pronged approach of server directives and download control then fine - we will close it now. I just do not know enough about securing your server files to know if possible.
oh - and I also appreciate that this is a very unimportant and fringe case scenario. I just saw the point of what they wanted to do.
image and media attachments are handled differently than file attachments... image and media attachments can be inserted into a post, a file attachment cannot.. a file is only shown in the attachments area...
so having the extra security for the file attachment makes good sense... the url is not available to anyone who can see it if the attachment section for the file has a php url.. you have just secured the file attachment...
media and images are shown in the post and anyone can readily get and share the url... so adding a php url those attachment seems like big waste of time... you really havent secured anything...
unfortunately, I dont recall if the original poster was referring to files or not... quick search and I didnt find...
So I guess to summarize, I think this would add a good layer of security to file attachments.. they would be secured and only available to users who had permission to view/download them... the actual path to the attachment file is never displayed to any user so it remains fully secure... but that is not the case for images and media... they could be shared and downloaded by anyone... securing at server is difficult at best...
|Ok - I am throwing it into the junkyard for now|
|so I guess you dont have the actual thread? to verify if original requester was talking about specific attachment types...|
|2016-04-10 16:14||Yellow Swordfish||New Issue|
|2016-04-10 16:14||Yellow Swordfish||Status||new => assigned|
|2016-04-10 16:14||Yellow Swordfish||Assigned To||=> Yellow Swordfish|
|2016-05-04 16:10||Yellow Swordfish||Target Version||5.6.6 => 5.6.7|
|2016-05-20 21:49||Mr Papa||Target Version||5.6.7 => 5.6.8|
|2016-07-10 14:16||Yellow Swordfish||Target Version||5.6.8 => 6.0|
|2016-08-12 07:44||Yellow Swordfish||Target Version||6.0 => 5.7.1|
|2016-08-12 07:44||Yellow Swordfish||change_log_text||=> Allow for secure download of attachment files|
|2016-08-18 15:04||Yellow Swordfish||Note Added: 0018335|
|2016-08-19 02:41||Mr Papa||Note Added: 0018337|
|2016-08-20 06:22||Yellow Swordfish||Note Added: 0018341|
|2016-08-20 15:29||Mr Papa||Target Version||5.7.1 => 5.7.2|
|2016-08-25 06:25||Yellow Swordfish||Note Added: 0018379|
|2016-08-27 01:06||Mr Papa||Note Added: 0018383|
|2016-08-27 07:02||Yellow Swordfish||Assigned To||Yellow Swordfish =>|
|2016-08-27 07:02||Yellow Swordfish||Status||assigned => new|
|2016-08-27 07:02||Yellow Swordfish||Target Version||5.7.2 => The Junkyard|
|2016-08-27 07:02||Yellow Swordfish||Note Added: 0018386|
|2016-08-27 18:08||Mr Papa||Note Added: 0018388|
|2018-06-09 21:02||Mr Papa||Target Version||The Junkyard => Future Release|
|2018-06-09 23:29||Mr Papa||Category||security => uploading|