We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

Privacy photos [Answered] | Forum

pit
pit Aug 11 '14
Supposedly my site is closed to prying eyes, that is, if you're not a member, you can't see almost any content.

I don't understand how it could be that even changing the privacy settings, anyone with the url accurate picture you can see any user (example: http://www.bdsmhispano.com/..._1_530815c819de5.jpg.

).

It is very serious and I need to fix this before there is content theft.


MORE INFO:


I recently updated to 1.7

The Forum post is edited by pit Aug 12 '14
ross Team
ross Aug 11 '14
Do the search on the forum please, this topic has been discussed a bunch of times. 
pit
pit Aug 12 '14

Hi Ross


I type "privacy" and find some results but:


http://www.oxwall.org/forum/topic/22343 (this one talks about newsfeed plugin and it's not ended or solved)


http://www.oxwall.org/forum/topic/20850 (this one talks about traduction in a text key, only this)

http://www.oxwall.org/forum/topic/17546 (in this topic, Kostia talks about other plugin, the 'questions plugin' but it isn't the same)


http://www.oxwall.org/forum/topic/18235 ;


------this one it's the most similar problem like mine… and I say any things about…:




An user called Wilson say: "…go to your oxwall /admin/permissions area of your site. You should be at “Global Privacy” area, looking below at “Guests can view the site” check the “NO” box and press “save”. Now no one can see your site unless they have registered."


… and, for sure, I do that and i selected: "Unregistered users can't see photos"; any guest people are unchecked in all pluggins, but, if they have any photo url direction, they can.


In global permissions:


And in role permisions (photos):







I see any special difference, when I type a url to see any photo (http:///..._1_530815c819de5.jpg); the server don't make any db query and don't need to check if guest is registerred or not, only show the result. It's not the same like if I try to search an result about one registered user like www.mydomain.com/user/pit



Now I say one thing more…… The user who upload this pic, put in their own privacy terms that only show photos with friends (only friends registered in the system) but all people who can read this, can see the photo only clicking here: http://www.bdsmhispano.com/...838cfb8292.jpg. ;



Ok, the photo names are complicated (photo_1_530815c819de5.jpg) because use a random names but if any registered user report 1 by 1, all photo names and post the links in another site (like i do here), the photos are exposed without any security... and... wait!!! if they want, can do hotlinking too O_o



Make sure, Ross, that I search in the forum any solution to this bug, searching by "privacy" and searching by "photos" but i don't find a exact problem solution. Maybe the thread solution is written in another language, I do not say no, but I could not find it. If you know where talks about this exact problem, I would appreciate very much to provide me the link.

ross Team
ross Aug 12 '14
This is a permalink, even FB has such in terms of images. In order to change this behavior is considered as a custom code modification. 
pit
pit Aug 12 '14

=_= hummmmm, i see, it's no easy.


Ok, for the moment, I minimize the risk preventin hotlinking, I just found this: http://www.oxwall.org/forum/topic/13128


...and I apply, for sure. (I need to try now if is working).


Thanks Ross.

Kяuncн Leader
Kяuncн Jan 23 '15
Many Hosting providers will by default have an option for Hot-Linking at the cPanel, if by chance your provider has not supplied this you can request that they add/Allow for this option.

After you set your desired function for disallowing hot-linking it should auto add the proper codes w/In your .htaccess file...


Step (01)



Step (02)



Step (03)


The Forum post is edited by Kяuncн Jan 23 '15