#6339 - Disabling the 'download downloads' privilege does not prevent dload.php downloads
-
By PDStig
- Added
- 15 views
| Identifier | #6339 |
|---|---|
| Issue type | Major issue (breaks an entire feature) |
| Title | Disabling the 'download downloads' privilege does not prevent dload.php downloads |
| Status | Completed |
| Handling member | PDStig |
| Version | 11 beta8 |
| Addon | downloads |
| Description | Disabling the 'download downloads' privilege does not prevent dload.php downloads. If the privilege is disabled, then I expect that you cannot download anything from the downloads. |
| Funded? | No |
Edited
The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".
Comments
System message - Issue updated
Also, Apache redirects do not affect dload.php.
Also, .htaccess does not affect dload.php.
Also, the permissions tree editor does not affect dload.php.
Something is FUNDAMENTALLY BROKEN.
System message - Issue updated
Permission checks in dload.php were not broad enough. We were only checking permissions and privileges on the category of the download. We should have been doing a global check (e.g., permission to the module as a whole was denied).
This resolution does not fix issues with dload.php bypassing .htaccess files or redirects; I will consider those a separate issue.