mahara-contributors team mailing list archive

[Richard Mansfield <655631@xxxxxxxxxxxxxxxxxx>]

Planning to fix this using the attached patch.

First, whenever a forum post is saved, it'll use a basic regex to add
the post id as a query parameter into any download links inside the post
body, so <wwwroot>/artefact/file/download.php?file=77 would become
<wwwroot>/artefact/file/download.php?file=77&post=88.

Then in download.php, it tries to check all the appropriate permissions
(the user can see the post, the post author owns (or is allowed to
publish) the artefact, the artefact id is in the post body).

I hope it's fairly solid, but it's easy to overlook stuff when doing
this kind of thing, so it'd be great if someone else could take a look
at it and try to think of ways a user could gain access to an artefact
they shouldn't be able to see.

** Patch added: "bug655631.patch"
   https://bugs.launchpad.net/mahara/+bug/655631/+attachment/1864995/+files/bug655631.patch

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/655631

Title:
  Forum post downloads should be publicly available in a public forum

Status in Mahara ePortfolio:
  In Progress

Bug description:
  In a public forum (such as the mahara community forum), posts are
  readable when users are not logged in. However, any files attached to
  a post are only available when logged in.

  As a result, you can only see images posted inline in a forum post
  when logged in. This also affects users receiving posts in e-mail, and
  through RSS feeds.

  Arguably, if a user receives e-mail updates for forum posts, then this
  requires a separate resolution since not all groups are public groups.
  If a user is in a non-public group and receives e-mail alerts for a
  forum post with an inline image, then we should probably re-write the
  location of the image and include it as an attachment to the e-mail.