cfiles icon indicating copy to clipboard operation
cfiles copied to clipboard

Published 20 hours ago verified publisher icon humhub

Obtain a public link file visible by non members in a private space

Open atdqm opened this issue 2 years ago • 7 comments

When someone download a file in a private space, he can share a public link. So the file is no more private.

To do that : I go in the file menu, I check a folder image

I click on the "Selected items" menu and I choose "Make Public" image

The folder becomes public image

In the folder files are public image

I can display the URL (also swtich the status Private / Public and if it's private I can make it public again...) image

and copy it and share it to other people who are not in the private space image

More discussion is here : https://community.humhub.com/content/perma?id=264761

atdqm avatar Feb 15 '23 10:02 atdqm

I add that the link is "working" : a non member of the private space who obtains the link can download the file

atdqm avatar Feb 15 '23 11:02 atdqm

This is linked to Issue #6 right?

I noticed with an integration of OnlyOffice if the link is shared as "edit" option to Gusts, it will break the history (as not "User/Account" is defined for the Gust edit) → is there an issue for this (I looked, but maybe it got fixed already?)

timmwille avatar Mar 23 '23 17:03 timmwille

As I understand for private Space we don't allow to see a Folder by URL if user has no permission to see the Private Space, it is restricted like this:

folder_restrict

but if we open similar URL of a File then such request is not restricted and any user can download the File, because the URL has format like this http://humhub.local/file/file/download?guid=cb292a8f-2af5-455a-9ad7-3248b1c41f24&download=1. So such file URLs should restricted for user without permissions to view a Private Space.

yurabakhtin avatar Mar 24 '23 10:03 yurabakhtin

@luke- Fixed in core PR https://github.com/humhub/humhub/pull/6191.

After fix a Public file url from a Private Space looks like this:

after_fix

yurabakhtin avatar Mar 24 '23 12:03 yurabakhtin

thanks @yurabakhtin I will test and close the issue later

atdqm avatar Mar 24 '23 14:03 atdqm

Tested with Humhub 1.14.0-beta.2 and Files module 0.15.1, but without @yurabakhtin patch (https://github.com/humhub/humhub/pull/6191). I have, for the link /file/file/download?guid=d86169e5-2011-44fd-9908-588aa85fefad&download=1: image

So perhaps https://github.com/humhub/humhub/pull/6191 is useless now with this Humhub version?

@luke- I thought it was because of https://github.com/humhub/humhub/pull/6159 which should be merged into Humhub 1.14.0-beta.1 if we read the https://github.com/humhub/humhub/blob/develop/CHANGELOG-DEV.md, but it is not in the release https://github.com/humhub/humhub/releases

I've checked the code, and https://github.com/humhub/humhub/pull/6159 is not merged (e.g. protected/humhub/modules/space/modules/manage/jobs/ChangeContentVisibilityJob.php is not present).

So I don't understand why I get "Insufficient permissions!" on a public file in a private space even without https://github.com/humhub/humhub/pull/6191

marc-farre avatar Apr 04 '23 10:04 marc-farre

Normally, a Space with Private visibility should not have any Public content. With PR #6159 we ensure this when a Space is changed to "Private" afterwards. To convert all Public content to Private visibility.

For me it looks like the CFile module has a bug here when it offers the possibility of "Public" folders. This checkbox should not be available.

luke- avatar Apr 05 '23 15:04 luke-