#1233 - Add security around files attached to catalogue entries
-
By Chris Graham
- Added
- 0 views
| Identifier | #1233 |
|---|---|
| Issue type | Minor issue (breaks specific functionality) |
| Title | Add security around files attached to catalogue entries |
| Status | Completed |
| Handling member | Chris Graham |
| Version | 9.0.6 |
| Addon | General / Uncategorised |
| Description | Catalogues and catalogue categories can be access controlled but no access specifically runs against attached files. This would mean that someone could guess at URLs to find attached files. Catalogue files were never originally designed/specified to be a secure upload mechanism. However, it is understandable people may want to use them this way -- so we are applying catalogue access permissions to them in this hotfix. |
| Steps to reproduce | |
| Funded? | No |
| Commits |
The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".
Comments
A much more complex patch has been put in for v10, due to the need for this to work with the new multi upload fields coming in v10. That was trickier due to no longer being a simple 1-to-1 correspondence with fields and files, in relation to a particular entry -- while continuing needing to enforce security and defining appropriate exceptions and maintaining framework abstraction.