View Issue Details

IDProjectCategoryView StatusLast Update
0005398Simple:Pressuploadingpublic2018-06-09 23:29
ReporterYellow SwordfishAssigned To 
PrioritynormalSeverityN/AReproducibilityhave not tried
Status newResolutionopen 
Product Version5.6.4 
Target VersionFuture ReleaseFixed in Version 
Summary0005398: Allow for secure download of attachment files
DescriptionAt the moment anyone can download an attachment if they know the url - and that is available in posts...

User has requested to secure this so that it is not as open.

Might be able to use my existing download manager script to grab the url from the post attachments table. This would allow for user checking.

Worth looking into anyway.

TagsNo tags attached.
change_log_textAllow for secure download of attachment files
typedefect

Activities

Yellow Swordfish

Yellow Swordfish

2016-08-18 15:04

administrator   ~0018335

Here is the suggestion:

Attachments sit in the postattachments table. And they have an ID.
So - on posts when we display the little attachments listing with a link to the actual item, we instead use a php file with the ID passed as a query variable - just like the download stuff I wrote that we use now - only without the admin end clutter.

When someone clicks on that url we do what we do in the downloads manager now. Check they are logged in and if so - allow the download.

What do you say?
Mr Papa

Mr Papa

2016-08-19 02:41

administrator   ~0018337

not a big fan of this one, yet fully understand why folks want it...

but why check if logged in? seems like there should be some sort of permissions check in there... at least see if they can view the forum in some manner... didnt you just do a ticket to add specific permissions for viewing uploads? if so, seems like those should be used... dont think logged in equals secure...

and how are you going to deal with the image display vs the attachments link? the straight url to the file can be gotten by inspecting the viewed image... and can then still be grabbed 'unsecurely'... they had to know the url before and they can still know the url now and go directly to it...
Yellow Swordfish

Yellow Swordfish

2016-08-20 06:22

administrator   ~0018341

I did mean a full permission check.
Yes - you're right about the url aren't you. I am getting too fanciful here in my dotage! The core url can still be passed to someone who has no access which would allow them to see it.
Although, someone who wanted that level of security would presumably disallow that sort of access would they not?
Yellow Swordfish

Yellow Swordfish

2016-08-25 06:25

administrator   ~0018379

STEVE wrote

I was thinking on attachment downloads yesterday... struggle with the point if its not really helping... was the issue with images and media? or with files? regarding the first two, this doesn't do much... yes it obfuscates the url in the attachments section, but if I can see that, I can see the image/media and still get a direct link to it... so don't really see any value... on the other hand, it does make sense for files... files are not shown in the code - only with a link in the attachments section... so using a php download url does protect the file location and access to it....

so basically I see no value on images and media and wouldn't waste my time... but when combined with the new attachments permissions, I do see value... it can protect it even if the url gets out with the permission check.... So my recommendation is implement it for files only... which, btw (though far from convincing), the mantis ticket is written against attachment files...


Image and media files ARE 'attachment files'. That is how we class them.
I am not going to labour this as part of me agrees with you but you did ignore my question regarding the user securing those items server-side.

The one I recall where this question came up was someone offering training via their own created videos and course material. Whether that should be done via a forum is perhaps questionable but they were. And they wanted to stop people grabbing the url of the files AND videos - and then passing it to others to download them without paying the course costs. While allowing their paid-up and logged in users to do so via the forum itself.

If this can not be done via the twin pronged approach of server directives and download control then fine - we will close it now. I just do not know enough about securing your server files to know if possible.

oh - and I also appreciate that this is a very unimportant and fringe case scenario. I just saw the point of what they wanted to do.
Mr Papa

Mr Papa

2016-08-27 01:06

administrator   ~0018383

image and media attachments are handled differently than file attachments... image and media attachments can be inserted into a post, a file attachment cannot.. a file is only shown in the attachments area...

so having the extra security for the file attachment makes good sense... the url is not available to anyone who can see it if the attachment section for the file has a php url.. you have just secured the file attachment...

media and images are shown in the post and anyone can readily get and share the url... so adding a php url those attachment seems like big waste of time... you really havent secured anything...

unfortunately, I dont recall if the original poster was referring to files or not... quick search and I didnt find...

So I guess to summarize, I think this would add a good layer of security to file attachments.. they would be secured and only available to users who had permission to view/download them... the actual path to the attachment file is never displayed to any user so it remains fully secure... but that is not the case for images and media... they could be shared and downloaded by anyone... securing at server is difficult at best...
Yellow Swordfish

Yellow Swordfish

2016-08-27 07:02

administrator   ~0018386

Ok - I am throwing it into the junkyard for now
Mr Papa

Mr Papa

2016-08-27 18:08

administrator   ~0018388

so I guess you dont have the actual thread? to verify if original requester was talking about specific attachment types...

Issue History

Date Modified Username Field Change
2016-04-10 16:14 Yellow Swordfish New Issue
2016-04-10 16:14 Yellow Swordfish Status new => assigned
2016-04-10 16:14 Yellow Swordfish Assigned To => Yellow Swordfish
2016-05-04 16:10 Yellow Swordfish Target Version 5.6.6 => 5.6.7
2016-05-20 21:49 Mr Papa Target Version 5.6.7 => 5.6.8
2016-07-10 14:16 Yellow Swordfish Target Version 5.6.8 => 6.0
2016-08-12 07:44 Yellow Swordfish Target Version 6.0 => 5.7.1
2016-08-12 07:44 Yellow Swordfish change_log_text => Allow for secure download of attachment files
2016-08-18 15:04 Yellow Swordfish Note Added: 0018335
2016-08-19 02:41 Mr Papa Note Added: 0018337
2016-08-20 06:22 Yellow Swordfish Note Added: 0018341
2016-08-20 15:29 Mr Papa Target Version 5.7.1 => 5.7.2
2016-08-25 06:25 Yellow Swordfish Note Added: 0018379
2016-08-27 01:06 Mr Papa Note Added: 0018383
2016-08-27 07:02 Yellow Swordfish Assigned To Yellow Swordfish =>
2016-08-27 07:02 Yellow Swordfish Status assigned => new
2016-08-27 07:02 Yellow Swordfish Target Version 5.7.2 => The Junkyard
2016-08-27 07:02 Yellow Swordfish Note Added: 0018386
2016-08-27 18:08 Mr Papa Note Added: 0018388
2018-06-09 21:02 Mr Papa Target Version The Junkyard => Future Release
2018-06-09 23:29 Mr Papa Category security => uploading