RSS shows hidden images

[nikos]

I have noticed that RSS shows images that are hidden. Is this normal or is it a bug.

[styleforum]

I was just about to post this. The RSS feed does not properly check whether a user should have access to the images before posting thumbnails. A malicious user could easily use this to keep an eye on categories where private images might be shown.

Even better, then when the user who shouldn't have access clicks on the thumbnail, he's taken to the showphoto page and shown the photo (at least in my testing, it may be due to having the same IP even though logged in as a different user). If the user then clicks to get the big image, he gets the popup with the "pending approval" image shown.

If the user goes to display the category that the private image is in, the private image will not be shown to him. But he still has access to the showphoto and the medium sized image.

I'll look at external.php and see what needs to be fixed. I'd say basically any image set to private shouldn't go to the feed no matter what.

Correct me if I'm wrong, or if I hacked something that broke this, but now if I paste the showphoto.php/photo/[privatephotoID] URL into a not-logged-in browser, I can see the supposedly private photo?

[styleforum]

Here's what I changed to fix this. Find in external.php:

Code:

Content visible to verified customers only.

Change lines between to:

Code:

Content visible to verified customers only.

This changes it so the query always has 'approved = 1' in it (i.e. image is not private or unapproved). If the RSS request specifies a category ($cat) it adds that into the query, if it specifies a user ($ppuser) it adds that, otherwise it runs with $cats set to null.

This really should be fixed and put out as a maintenance release. If people are going around thinking their images are private they are mistaken.

[Chuck S]

? external.php indeed does check for a users permissions before displaying data this is what this line is for.

Code:

Content visible to verified customers only.

Think the title is a little misleading as what your posting is the the user has permissions to view the image yet the rss shows unapproved photos. I will pass that along to the developer.

[styleforum]

That looks like it's checking to see whether a particular user/group has permission to view a category, not an image. If you "hide" an image but it's in a public category, anyone who runs the feed for that category will be able to see it.

[Chuck S]

correct as noted your talking about approval of the image which we can pass along to the developer to add.

[styleforum]

So continuing this, is showphoto.php supposed to show images to everyone who knows the URL, or is it supposed to check and not display hidden images? I notice that featured/next-prev/random image blocks and galleries don't show thumbs for the hidden images, but I am still able to get to them by typing in the URL showphoto.php/photo/[hiddenimagenumber].

[Chuck S]

approved=1 is what I am passing along to the developer as this would be a correct addition.

[styleforum]

Quote:

Originally Posted by styleforum

So continuing this, is showphoto.php supposed to show images to everyone who knows the URL, or is it supposed to check and not display hidden images? I notice that featured/next-prev/random image blocks and galleries don't show thumbs for the hidden images, but I am still able to get to them by typing in the URL showphoto.php/photo/[hiddenimagenumber].

Can I get an answer to this? I can only test it on my own install which admittedly is rather hacked at this point. I want to be able to tell my users whether "hidden" images are really hidden.

[Chuck S]

showphoto shows images a user has permission to view. You as admin can view anything so take that into account.

[styleforum]

Quote:

Originally Posted by Chuck S

showphoto shows images a user has permission to view. You as admin can view anything so take that into account.

Of course, but when I try it from a different computer either logged out or logged in as a regular user (one of my vB test user accounts) I'm still able to see a hidden photo by going directly to the URL. Have I broken something or is that normal behavior?

[Chuck S]

Normal behavior I would assume as basically the photo is no longer shown on showgallery and users would not see it to click it but if you know the url it is shown.

[styleforum]

Quote:

Originally Posted by Chuck S

Normal behavior I would assume as basically the photo is no longer shown on showgallery and users would not see it to click it but if you know the url it is shown.

Okay, but doesn't that mean that someone can just go sequentially showphoto.php/photo/1, showphoto.php/photo/2, etc. and see every picture no matter what category it's in or what permissions are on it? Or write a script to do the same thing and get all the images off the page?

Edit: it looks like at least when you put them in a private album, they get a "password required" page. But they can still obviously access them if they know the URL.

[Chuck S]

No they have to have category permissions based on the usergroups permissions you set to view it.