plainblack.com
Username Password
search
Bookmark and Share
View All Tickets
Files still accessible when in the trash  (#11964)
Issue

When files are deleted (moved into the trash), nothing is done to prevent access to the file via the uploads URL, so the content remains accessible until the file is purged, which is 30 days by default. This can cause issues if the uploads url has been cached by search engines, linked to from other websites, or bookmarked by users. It is counter-intuitive behavior for content managers who assume that deleting a file should make it unavailable on the website.

For files that originally were unrestricted and had no .wgaccess file, the only solution would appear to be to add a .wgaccess file with restricted permissions upon deletion. For files with .wgaccess files associated with them already, a more restricted access setting should be applied (making it visible only to those with editing rights for the asset seems logical).

For restoration of a file asset from the trash, I presume you would want to restore the original permissions, which means the file asset would have to retain its original permissions, making the .wgaccess file out of synch as long as it was in the trash. This might cause problems for workflows or utilities that monitor or fix .wgaccess files (like fixWgaccess.pl).

Note: There is a closely related problem that could be resolved by fixing this bug: when permissions on a file are changed, the old file with its old .wgaccess file remains in place, even after changes have been committed. This means that the file at the old uploads URL retains its old permissions settings, which could result in content being more available than intended.

Fixing this bug would mean treating past versions of the file asset as if it were in the trash -- lock down access on it so that only those with editing rights can still see the old version.

 

(I am filing this as "Minor" because the bug doesn't prevent WebGUI from working in the basic sense. However, it could be considered harmful if it resulted in inadvertent exposure of protected content to the internet.)

Solution Summary
Comments
preaction
0
11/16/2010 5:44 pm
Both of these are fixed in 7.10.5 (55920f5) and 7.9.19 (386ce03)

Trashed files will show forbidden and so will old revisions, no matter what.

This will probably cause problems for anybody using the /uploads/ URL directly, but they've been warned for years.
Details
Ticket Status Resolved  
Rating0.0 
Submitted ByTrex 
Date Submitted2010-11-15 
Assigned To DBell  
Date Assigned2010-11-16 
Assigned ByDBell 
Severity Minor (annoying, but not harmful)  
What's the bug in? WebGUI Stable  
WebGUI / WRE Version 7.9.18  
URLuse/bugs/tracker/11964
Keywords
Ticket History
11/16/2010
11:44 PM
Resolved DBell
11/16/2010
9:24 PM
Assigned to DBell DBell
11/15/2010
9:06 PM
Ticket created Trex
© 2019 Plain Black Corporation | All Rights Reserved