Mahara

Forum post downloads should be publicly available in a public forum

Bug #655631 reported by Andrew Nicols on 2010-10-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Mahara	Fix Released	Medium	Richard Mansfield	Mahara 1.4.0

Bug Description

In a public forum (such as the mahara community forum), posts are readable when users are not logged in. However, any files attached to a post are only available when logged in.

As a result, you can only see images posted inline in a forum post when logged in. This also affects users receiving posts in e-mail, and through RSS feeds.

Arguably, if a user receives e-mail updates for forum posts, then this requires a separate resolution since not all groups are public groups. If a user is in a non-public group and receives e-mail alerts for a forum post with an inline image, then we should probably re-write the location of the image and include it as an attachment to the e-mail.

Tags:

Revision history for this message

Richard Mansfield (richard-mansfield) wrote on 2010-10-07:

This could be quite annoying to fix, because the files aren't really marked anywhere as attached to the forum post, they're just sitting in the body.

I know in the case of blog posts, when you display them in a view, there is a nasty little regex somewhere that goes through the body of the post, looks for those download.php links and tries to rewrite the links to include the viewid*.

It would be possible to do something similar in forum posts, perhaps appending the userid of the poster to the download link, and then getting download.php to check that the user in the url has edit permission on the file artefact.

* Oops, there *used* to be a horrible regex somewhere that did this, but I inadvertently removed the call to that function when I messed with the rendering of blogposts. Will fix in https://bugs.launchpad.net/mahara/+bug/656096

Richard Mansfield (richard-mansfield) on 2010-11-02

Changed in mahara:
status:	New → Confirmed
importance:	Undecided → Medium
milestone:	none → 1.4.0

Richard Mansfield (richard-mansfield) on 2011-02-22

Changed in mahara:
status:	Confirmed → In Progress
assignee:	nobody → Richard Mansfield (richard-mansfield)

Revision history for this message

Richard Mansfield (richard-mansfield) wrote on 2011-02-22:

bug655631.patch Edit (9.8 KiB, text/plain)

Planning to fix this using the attached patch.

First, whenever a forum post is saved, it'll use a basic regex to add the post id as a query parameter into any download links inside the post body, so <wwwroot>/artefact/file/download.php?file=77 would become <wwwroot>/artefact/file/download.php?file=77&post=88.

Then in download.php, it tries to check all the appropriate permissions (the user can see the post, the post author owns (or is allowed to publish) the artefact, the artefact id is in the post body).

I hope it's fairly solid, but it's easy to overlook stuff when doing this kind of thing, so it'd be great if someone else could take a look at it and try to think of ways a user could gain access to an artefact they shouldn't be able to see.

Richard Mansfield (richard-mansfield) on 2011-04-12

Changed in mahara:
status:	In Progress → Fix Committed

François Marier (fmarier) on 2011-06-14

Changed in mahara:
status:	Fix Committed → Fix Released

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2011-10-05: A change has been merged

Reviewed: https://reviews.mahara.org/766
Committed: http://gitorious.org/mahara/mahara/commit/4165e4ab545a96b63c099ea33e6098751fef8e4d
Submitter: Richard Mansfield (<email address hidden>)
Branch: master

commit 4165e4ab545a96b63c099ea33e6098751fef8e4d
Author: Richard Mansfield <email address hidden>
Date: Tue Oct 4 18:33:56 2011 +1300

User can_publish_artefact method too restrictive (bug #865911)

    The can_publish_artefact method on the User class, introduced in
    commit aba54873f4 (see bug #655631) is out of line with other
    permissions on the site when it comes to institution artefacts.

    Any institution member can include institution files on one of their
    own pages, but this method (currently used when putting images into
    forum posts) only allows publishing by institutional admins.

This change adds publishing permission on institution artefacts for
all institution members.

Change-Id: I3f8a15de573de6f58497ae45839647b462fa5e89
Signed-off-by: Richard Mansfield <email address hidden>