CMS MADE SIMPLE FORGE

Uploads

 
Back Back to List

[#3454] when use_hierarchy is TRUE, uploaded files are not protected

avatar
Created By: Tahd McGinnis (jmcgin51)
Date Submitted: Wed May 20 10:18:40 -0400 2009

Assigned To:
Version: 1.5.1
CMSMS Version: None
Severity: Major
Resolution: Works For Me
State: Closed
Summary:
when use_hierarchy is TRUE, uploaded files are not protected
Detailed Description:
When the CMSMS use_hierarchy setting is FALSE, the autogenerated link to a
protected Uploads file looks like this:
http://www.mysite.com/index.php?mact=Uploads,m8,getfile,1&m8upload_id=93&m8returnid=42&page=42

A user who is not logged in, or who is not a member of the appropriate group (as
specified in the Uploads category assignments), cannot access this file via this
URL.  This is good.

However, when use_hierarchy is TRUE, the autogenerated Uploads file link looks
like this:
http://www.mysite.com/uploads/93/filename-ext.php

When using this URL, any user (authenticated or not) can access the target file,
just as if they entered the direct full path in the URL
(mysite.com/full/path/to/the/file.ext).  This is not good.

I would be happy to provide a live example via PM or email, if needed.

CMSMS 1.5.3, Uploads 1.5.1

Thank you!


History

Comments
avatar 
Date: 2009-06-06 09:40
Posted By: Mickaël B. Alexandre (mickaelb)

Hello,

Note for Uploads users (in hope this problem will be fix on a next version).

You can Redirect with a Htaccess file this url 

http://www.mysite.com/uploads/93/filename-ext.php

on the "normal" url like this :

http://www.mysite.com/index.php?mact=Uploads,m8,getfile,1&m8upload_id=93&m8returnid=42&page=42

You just have to set up a rewriteRule and a public page, this public page
contain the module.
And rewrite rule will be :

RewriteRule ^uploads/([0-9]+)/([a-zA-Z0-9\-_]*)\.html$
index.php?mact=Uploads,m5,getfile,1&m5upload_id=$1&m5returnid=31&page=31 [QSA]

Where m5returnid and page, are set up with the id of your public page.
The "m5" will change with your version so test rewrite with your parameters.

Mickael B.
avatar 
Date: 2009-07-08 07:38
Posted By: blast blast (blast)

Can you check if using 

http://www.mysite.com/uploads/93/filename-ext.php

file downloads are still counted (summed)?

My counter is always "0" for all files (I'm using mod_rewrite) but I don't know
if this Is this a bug.

Can you confirm?
avatar 
Date: 2009-07-15 01:45
Posted By: Robert Campbell (calguy1000)

I've tested this numerous times recently and never had a problem.
Updates

Updated: 2013-04-11 22:30
cmsms_version_id: => -1
state: Open => Closed

Updated: 2009-07-15 01:45
resolution_id: => 11