Restricted images visible with a direct URL.

andrex · September 12th, 2007, 03:01 AM

I'm in the middle of setting up my site with PP 5.62 and am trying to setup a category that can only be seen by certain users. I have the visibility of the users setup right so 'user A' can see the the hidden category and 'user B' can't. I've added a photo to the hidden category as 'user A' and 'user A' can see it, search for it, etc. 'User B' can't, which is right.

Now if I type in the URL of the hidden image (which is not hard to guess) while I am logged in as 'user B', the image is displayed (this is true even if I am not logged in at all). I would have thought that the security system would kick in and prevent the image being displayed regardless of whether a direct URL was used or not. I've even removed all privileges from every user group and it makes no difference.

Is the easy override of the security a design feature or is this a bug?

Thanks

Chuck S · September 12th, 2007, 08:21 AM

If you allow someone to see a direct url of an image and you type that in your browser to see that image you are no longer in the photopost software in any manner. There is nothing we can do about someone like that. You can try some type of mod rewrite to help protect direct image paths but nothing is foolproof.

http://www.photopost.com/tipsphp.html

andrex · September 12th, 2007, 01:48 PM

That makes sense. I should have been clear about the URL that I'm talking about. It is something like: http://mysite.com/pp/showphoto.php/photo/49. To me that means that the showphoto.php should be able to authenticate the user before the image is displayed. That's not happening. My PP install is integrated into my phpbb2 forum (I'm logged out of the forum as well when I test this).

Any other ideas?

Thanks

Chuck S · September 12th, 2007, 02:08 PM

I would suggest you post your site url here for us to see and you can try to explain your issue.

andrex · September 12th, 2007, 03:33 PM

OK.

I've created a picture in a hidden category (permissions are all off for all user groups apart from admin).

The URL for the picture is http://forums.cornishheritagefarms.c...to.php/photo/1

Chuck S · September 12th, 2007, 04:15 PM

Okay and I get the correct message I do not have permission to view images in this category so please explain your issue?

andrex · September 12th, 2007, 11:24 PM

Yep! I remembered that I had changed some code in the forums/phpbb2.php file and I changed it back just before you looked. I'd obviously introduced a bug.

However undoing my changes opened up the bug that I was trying to fix in the first place. This was that if you logged in as any valid user and then logged out, you could log in as any user (including the admin) without a password as long as you used the same browser window. In the end I changed line 344 of the file mentioned above to:

if ( isset($md5autologin) && $md5autologin == $session_key ) $checkpass = 1;

From:

if ( $md5autologin == $session_key ) $checkpass = 1;

For some reason the session key and md5autologin where both blank and therefore matching, even though they shouldn't have.

Now both problems are gone.

Thanks.

Chuck S · September 13th, 2007, 09:46 AM

Not a problem my friend