Ticket #319 (new defect)

Opened 9 months ago

Last modified 2 months ago

Users able to navigate to other users file upload page

Reported by: jack Assigned to: nobody
Priority: high Milestone: 0.9.2
Component: core Version: 0.9.0
Severity: normal Keywords:
Cc: Patch Included: 0
Review Stage: unreviewed

Description

Users have the ability to see the whole upload files page of any other user. By navigating to http://www.elggsite.com/elgguser/files you see all the upload options, although no upload is actually possible this should not be accessible to other users.

Change History

03/29/08 01:01:20 changed by rho

confirmed

05/12/08 19:21:30 changed by justinr

  • priority changed from normal to high.

Confirmed here as well in 0.9.1, though I was also able to upload to another user's file area and create folders. This only seemed to occur when the two users are friends, though I can't rule out another trigger.

What is particularly disturbing is that the user creating the files can set them as "private" or otherwise unviewable by the user whose account is actually storing the files.

10/01/08 19:20:49 changed by markpea

I don't confirm this behaviour on 0.92 (https://els.earlham.edu). I have set the elgg data directory *outside* the web root (so /var/www/elgg for code and /var/elgg_data for data). With this configuration you cannot upload to a friend's file area or view private files. Methinks that setting the data dir to world:write access (as the installation instructions say to do) is the cause of this behaviour.