File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JForum and the fly likes Downloading attachment without permission Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » JForum
Bookmark "Downloading attachment without permission" Watch "Downloading attachment without permission" New topic
Author

Downloading attachment without permission

Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Using JForum version 2.1.7 it's possible to download attachment from forum which the user has no permission to read/write posts. Of course, if u know the exact URL, something like:
http://jforum/posts/downloadAttach/_postID_.page

I've added those lines to the net.jforum.view.forum.PostAction downloadAttach() method:

Maybe it's not the best way...
[originally posted on jforum.net by ramons]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
There's not just the permission sets to read/write, but also to allow download of attachments in the listed forums.

Have you tried to use those atttachment-limitation properties too? I guess those are the ones that may be checked possibly ... though i have to admit I did not yet test it. Takes alot of fantasy to get there ;)

In addition to that we allow download of attachment for any of the ppl that can log on - and only users that have been authed by the SSO implementation ever can log on ^^
[originally posted on jforum.net by Sid]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Please create a JIRA issue about this (very easy!) and attach your fix. It's more likely to get fixed if it's in JIRA. Things like this in the forums tend to get lost in all the traffic.

TIA
[originally posted on jforum.net by monroe]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
In the current CVS source, there is already a patch for this:

You have to modify SytemGlobals.properties or jforum-custom.conf for the following setting:


This will force anonymous user to login first before they can download attachment.
[originally posted on jforum.net by andowson]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Sid wrote: Have you tried to use those atttachment-limitation properties too?

I don't really understand what "attachment-limitation properties" mean, I guess u talk about the "Quota limits" in the Admin Panel. I didn't find anything else than size limitation.

andowson wrote:In the current CVS source, there is already a patch for this

As far as I understand that patch just check for the user permission to add attachments and download them, but does it check the permission per forum category? I mean, a user is in a category with those permissions but the topic where the file is doesn't belong to the same category. Will "SecurityRepository.canAccess(SecurityConstants.PERM_ATTACHMENTS_DOWNLOAD)" check the permission for the category of the forum where the topic is? or just if the user has this right?

monroe wrote:Please create a JIRA issue about this (very easy!) and attach your fix

I didn't do it because I thought the code is not well coded, but I'll do it as soon as somebody can tell me if the CVS patch does what I want or not, otherwise is a waste of time for the Jforum developers.

Thanks for ur tips!

Pd: as far as I see there are lots of improvements in Jforum next version, I'm really looking forward for it.
Pd2: does anybody know which version is this jforum?
[originally posted on jforum.net by ramons]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Romons, no i was not speaking of the quota settings. Have a look at the permission sets for users or groups. There you'll find

Attachments
Enable Attachments
Allow download of existing Attachment

Hence you can disable the download for anonymous users, or certain user groups. And you can set, in which forums attachments may be allowed or not.
[originally posted on jforum.net by Sid]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
The patch in CVS will force anonymous user to login first before download an attachment file. If this is what you want, then the CVS can be used to do so. But if you want to check the permission after login, JForum doesn't provide this functionality on category.
And currently there is no category level permission for setting usergroup's right. You have to do it on each board.
[originally posted on jforum.net by andowson]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
if so, then the update documentation for 2.1.7 to 2.1.8 has a flaw - as it does not describe that there is new necessary parameters, nor is there informations on updating the language files which may be necessary for showing the new setting on the admin panel ... just a guess though ...

If you already put up documentation to upgrading to a version that is not even avaiable officially - please make sure it lacks of no informations ...
[originally posted on jforum.net by Sid]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Sorry, but I'm getting mad about this. Now I don't understand if I'm doing something wrong or what I want it's not implemented.
I hope some developer can show me the light. I'm gonna try to explain the situation.

Let's say userA and userB.
userA is in groupA/categoryA and userB in groupB/categoryB.
there's forumA associated to categoryA and forumB to categoryB.
userB post a file to forumB and gives the link to download to userA
In the jforum_roles table I've role 'perm_attachments_download' per forumA-groupA and another one for forumB-groupB.
Eventhough userA can download the file userB has posted.
Is this normal behaviour?
Does SecurityRepository.canAccess(SecurityConstants.PERM_ATTACHMENTS_DOWNLOAD) just check if the user has 'perm_attachments_download' role, doesn't matter which forum for?

I'm sorry I can't explain myself better way.
[originally posted on jforum.net by ramons]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
well I think I've found what I want.
In the CVS code there's:


but I think that the second canAcces call should be done this way:


Please correct me if it's wrong, otherwise I submit it to Jira.
Thanks in advance
[originally posted on jforum.net by ramons]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Sid wrote:if so, then the update documentation for 2.1.7 to 2.1.8 has a flaw - as it does not describe that there is new necessary parameters, nor is there informations on updating the language files which may be necessary for showing the new setting on the admin panel ... just a guess though ...

If you already put up documentation to upgrading to a version that is not even avaiable officially - please make sure it lacks of no informations ...


The documentation is not 100% yet, as nor it 2.1.8

Rafael
[originally posted on jforum.net by Rafael Steil]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
ramons wrote:well I think I've found what I want.
In the CVS code there's:


but I think that the second canAcces call should be done this way:


Please correct me if it's wrong, otherwise I submit it to Jira.
Thanks in advance


Why you think that?

Rafael
[originally posted on jforum.net by Rafael Steil]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
ops: sorry I mixed it.
I'm gonna try to explain myself.
As far as I understand there are two permissions associated with attachments:
- PERM_ATTACHMENTS_DOWNLOAD and
- PERM_ATTACHMENTS_ENABLED

PERM_ATTACHMENTS_ENABLED role has a value associated which is a forumID. So this role is per forum and group, isn't it?

So why when getting an attachment is not checked the same way? it seems to me that the condition to download the attachment is that the user has PERM_ATTACHMENTS_ENABLED in any forum, not in the one we're trying to download.

Thanks,
Ramon
[originally posted on jforum.net by ramons]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Yes, it makes sense. Please add this to Jira.

Rafael
[originally posted on jforum.net by Rafael Steil]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Ok, thanks, I'm working on this. The PERM_ATTACHMENTS_DOWNLOAD will also change from Yes / No to "perm-forum" role, just like PERM_ATTACHMENTS_ENABLED.

It does make more sense, right?

Rafael
[originally posted on jforum.net by Rafael Steil]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Added to Jira as JF-731
Maybe somebody can improve it because I don't know better way to get the forumID associated to the attachment.

Pleased to help.
--
Ramon
[originally posted on jforum.net by ramons]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Ok, the changes are in the CVS now.

Rafael
[originally posted on jforum.net by Rafael Steil]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Downloading attachment without permission
 
Similar Threads
cannot delete a post on CVS version
Fixes for 2.1.5 Root_B2_1_5_LocaleExt
My Groovy Notebook
Interesting UBB tag mismatch bug?
Chinese Attached filename can't be shown