List Files From Set

Advanced Search

Not Honouring Pemissions in V8.3.2

Permalink Browser Info Environment
I have created a folder for each member with view permissions for only that member how ever all files a being listed by the addon on all members pages.
Have checked the permissions and they are correct.
The two test members I have set up can see each others files.
My big concern here is that I already have a site using this addon to display confidential client files based on this method.
It is running V8.1 and V1.0.12 and is working as expected. If i Up date that site to the latest C5 version and update the addon confidential files may be displayed to all members.

Colin
Type: Discussion
Status: In Progress
cmerritt
View Replies:
cmerritt replied on at Permalink Reply
cmerritt
Update on this.
After further testing I have found that although all files in the set are showing files with out view permissions showing "invalid file" when clicking on link.

So the issue is just that all files are showing in the list of available files.
A side note to this is that it also occurs on the Document Library block provided with the core.

Colin
mesuva replied on at Permalink Reply
mesuva
I believe this is a core change that has removed permissions from File Sets -https://www.concrete5.org/developers/bugs/8-1-0/fileset-permissions-...

It may be possible to adjust the template to check each file, but I haven't tested this yet.

There is a call canViewFile() against each file that adjusts the URL in the template, that might instead be able to more broadly check before even trying to output a file.
cmerritt replied on at Permalink Reply
cmerritt
Thanks for the prompt reply.

To the best of my knowledge and as per my first post it does work correctly with C5 V8.1 and V1.0.12 of your add on.

Shouldn't it check file permissions as you can over ride set/folder permissions?

Colin

concrete5 Environment Information

# concrete5 Version
Core Version - 8.3.2
Version Installed - 8.3.2
Database Version - 20180122213656

# concrete5 Packages
Afixia: Login Redirect (0.9.2), List files from set (1.0.13), Login Dialog (0.9.7), Pixel Theme (2.0.3), Simple Gallery (1.0.7), User Info (1.2.2)

# concrete5 Overrides
blocks/login_dialog/templates/top_bar/view.php, blocks/login_dialog/templates/top_bar/view.css, blocks/login_dialog/templates/top_bar, blocks/login_dialog/templates, blocks/login_dialog

# concrete5 Cache Settings
Block Cache - Off
Overrides Cache - Off
Full Page Caching - Off
Full Page Cache Lifetime - Every 6 hours (default setting).

# Server Software
Apache/2.4.29 (cPanel) OpenSSL/1.0.2n mod_bwlimited/1.4

# Server API
cgi-fcgi

# PHP Version
5.6.33

# PHP Extensions
bcmath, calendar, cgi-fcgi, Core, ctype, curl, date, dom, ereg, fileinfo, filter, ftp, gd, hash, iconv, imap, ionCube Loader, json, libxml, mbstring, mcrypt, mhash, mysql, mysqli, mysqlnd, openssl, pcntl, pcre, PDO, pdo_mysql, pdo_sqlite, Phar, posix, readline, Reflection, session, SimpleXML, soap, sockets, SPL, sqlite3, standard, tokenizer, wddx, xml, xmlreader, xmlwriter, xsl, zip, zlib

# PHP Settings
max_execution_time - 600
log_errors_max_len - 1024
max_file_uploads - 20
max_input_nesting_level - 64
max_input_time - 600
max_input_vars - 1000
memory_limit - 1024M
post_max_size - 8M
sql.safe_mode - Off
upload_max_filesize - 128M
mysql.max_links - Unlimited
mysql.max_persistent - Unlimited
mysqli.max_links - Unlimited
mysqli.max_persistent - Unlimited
pcre.backtrack_limit - 1000000
pcre.recursion_limit - 100000
session.cache_limiter - <i>no value</i>
session.gc_maxlifetime - 7200
soap.wsdl_cache_limit - 5

Browser User-Agent String

Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0

Hide Post Content

This will replace the post content with the message: "Content has been removed by an Administrator"

Hide Content

Request Refund

You have not specified a license for this support ticket. You must have a valid license assigned to a support ticket to request a refund.