Unregistered can view and download attachments on the forum.
I think it should not happen, it's a bug?
Is there any way to solve it?
We build. You grow.
Get best community software hereStart a social network, a fan-site, an education project with oxwall - free opensource community software
Problem with attachments in the forum | Forum
Team Den
Feb 21 '12
Confirmed. Unregistered user can still download any attachement by direct URL.
There are two main reasons leave it in this way:
- It's not so easy to get direct link for attachment
- most sites doesn't require such ultimate security
- implementation of such security checking requires a really high amount of hosting resources.
So, if you still needs this, currently, you can implement it by yourself or with third party assistance.
P.S. It was already discussed on our forum.
The Forum post is edited by Den Feb 21 '12
DavidZenry
Mar 27 '13
There does not seem to be a away to deactivate/disallow posting attachments once the forum has been created. I've tried editing the forum and there is no option. I can't find any variables in the database either. Seems like a basic bug.
matt
Mar 27 '13
Confirmed. Unregistered user can still download any attachement by direct URL.There are two main reasons leave it in this way:
- It's not so easy to get direct link for attachment
- most sites doesn't require such ultimate security
- implementation of such security checking requires a really high amount of hosting resources.
So, if you still needs this, currently, you can implement it by yourself or with third party assistance.
P.S. It was already discussed on our forum.
I'm not sure these reasons seem good. They seem to imply that oxwall is looking to attract small sites, cheap hosting and lax security. This seems to contradict other posts from the team which seem to imply a vision of larger sites.
Whilst everyone expects the process of development to take time. I would think that oxwall communities would like a secure software, to run on their solid, reliable and capable hosts.
Options! The key to good software platform. If we don't want secure attachments, and the associated overheads, we should be able to switch it off!
I realize that such things cant get implemented at the drop of a hat, but one would hope that such important matters would at least sit on the dev roadmap.
Matt
Purusothaman Ramanujam
Mar 27 '13
Den,
How this feature is going to require high amount of hosting resources?
In the store, there is a way to restrict the file download which is almost same as this.
How this feature is going to require high amount of hosting resources?
In the store, there is a way to restrict the file download which is almost same as this.
Team Den
Mar 28 '13
Let's make things clear :)
Options! The key to good software platform. If we don't want secure attachments, and the associated overheads, we should be able to switch it off!
Oxwall is designed and built using another approach. The main keys we are following to are:
- speed
- extensibility
- usability
Following these concepts allows to provide an affordable software for a huge range of website in different niches (from small local communities hosted on cheap shared accounts to international high-loaded web portals hosted with advanced cloud systems ).
Adding all possible options each time won't lead to a good software, it will make it complicated and slow.
Basically, forum's attachements are secured with hashed filename. Take a look at a generic file name: attachment_1970_5137056893890.jpg . If the common none-logged user havent' been informed by another user with the exact filename, then, probably we won't get it. This works for most website. The performance is obtained as there are direct links to static attachment files (i.e. http://www.oxwall.org/...70_5137056893890.jpg). This means the file is returned to user directly, without executing any PHP.
But, if you need an advanced protection, you are free to implement it as a forum's extension via plugin. In this case, direct links to static attachment files won't work. There should be a special check for logged-in users in PHP file. The PHP file should fopen and send the atatchemnt into a browser if access is allowed. And this will require to execute PHP script each time the user perform to view/download attachment file.
The store functionality requires an additional security, as paid items should be protected from none authorized access.
matt
Mar 28 '13
The store functionality requires an additional security, as paid items should be protected from none authorized access.
Hi Den, Thanks for your comments. I would tend to argue that valuing things only by money (paid items) seems a naive view. Attachments in forums and elsewhere can contain info and content that get valued in a different way. Security of such, seems an issue.
As I mentioned, I expect plugin will form a solution. Or indeed a bridge to a more fully featured forum.
Cheers,
Matt
suwat pb
Jun 16 '13
from Den message ->
And this will require to execute PHP script each time the user perform to view/download attachment file.
it mean big server resouces use ? and slow all site on share hosting ?
sample : if this page have 150 pics.. php must execuse 150 times to send pic to user browser (for only 1 page view and if the user reload/refresh page ..php work 300times) ?
sorry for my English
The Forum post is edited by suwat pb Jun 16 '13
Team Alia
Jun 17 '13
suwat pb
>>sample : if this page have 150 pics.. php must execuse 150 times to send pic to user browser (for only 1 page view and if the user reload/refresh page ..php work 300times) ?
Not exactly.
If those 150 pics were attached to this reply as attachments then php would have been executed ( checking whether user is loged in or not) every time person tried to download attachments.
By attachments I mean files added here:
>>sample : if this page have 150 pics.. php must execuse 150 times to send pic to user browser (for only 1 page view and if the user reload/refresh page ..php work 300times) ?
Not exactly.
If those 150 pics were attached to this reply as attachments then php would have been executed ( checking whether user is loged in or not) every time person tried to download attachments.
By attachments I mean files added here:
Team Alia
Jun 17 '13
Thanks for pointing out at this Dave.
We will add hashes to photo names in one of the upcoming builds.
We will add hashes to photo names in one of the upcoming builds.
Jhonkri Ston
Jun 20 '23
Yes, it does seem like an issue that unregistered users are able to view and download attachments on the forum. It's possible that this could be a bug or a misconfiguration. To address this, I recommend reaching out to the forum administrators or JRS International technical support team. They should be able to investigate the issue and provide a solution to ensure that only registered users have access to attachments.
