HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


Catalog File Attachments

Login / Search

 [ Join | More ]
 Add topic 
Posted
Rating:
#96973 (In Topic #19243)
Avatar

Fan in training

How do you secure catalog file attachments?

I have a site that contain a guest zone, a user zone and a management zone.

The catalog module is in the user zone (where I have a number of catalogs)

However when I attach a file to the catalogs that are restricted to the management zone, people logged in to the user zone can still access the attachment through the address bar.

Is there a way to install a second catalog module in the management zone or redirect the files to be stored in the management zone?

Thanks for any help in advance.
Back to the top
 
Posted
Rating:
#96975
Avatar

Ensure the catalogue itself doesn't have access, rather than the zone or catalogues page.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#96976
Avatar

Fan in training

Thanks for the quick response Chris.

The catalogue is restricted to the management group.  However since the catalogue stores all the attached files in then the user zone (where the module is installed) the user can simply type the file address into the address bar and see the files.

such as: http://sample.com/ocportal/site/catalogue_file.php?original_filename=sample.pdf&file=sample.pdf

I can try to use obscure file names, but I wanted to know if there was a more secure way to store these files.
Back to the top
 
Posted
Rating:
#96978
Avatar

You're right, there is no access security on catalogue upload fields. I thought you were referring to attachments on posting fields, which are secured.

Even though it wasn't designed for secure data, I don't think we specify that there is no security on this, so we should improve this. I'll have to get back to you as it's not a simple change.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#96980
Avatar

Fan in training

Thanks for the quick reply again Chris.  If there was a way to specify the zone location the files are stored in it would be perfect.
Back to the top
 
Posted
Rating:
#96981
Avatar

That's not going to be possible without significant programming changes: the upload process is several subsystems removed from the concept of zones.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#96984
Avatar

Fan in training

Is it possible to install a second catalogue in the Management zone?
Back to the top
 
Important!
Posted
Rating:
#97011
Avatar

Automated fix message

JPMorgan said

I have a site that contain a guest zone, a user zone and a management zone.

The catalog module is in the user zone (where I have a number of catalogs)

However when I attach a file to the catalogs that are restricted to the management zone, people logged in to the user zone can still access the attachment through the address bar.

Is there a way to install a second catalog module in the management zone or redirect the files to be stored in the management zone?

Thanks for any help in advance.
This issue has been filed on the tracker as issue #1233, with a fix.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Important!
 
Posted
Rating:
#97012
Avatar

JPMorgan said

Is it possible to install a second catalogue in the Management zone?

There are advanced things you can do to do this kind of thing (documented, or we can explain via a support ticket), but it doesn't affect how the code works – files will still be kept on disk at the same location, held in the same database tables, and run through the same scripts.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#97013
Avatar

Regarding my hotfix above, it is important to note that the uploads/catalogues directory needs securing at the web server level to prevent direct downloads from here. Download security can only be maintained if they can only go through our catalogue_file.php script.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#97015
Avatar

Fan in training

Chris,
 
Thanks again for the fast fix.
I will look into making sure the directory is secured.
James.
Back to the top
 
Posted
Rating:
#97023
Avatar

Fan in training

Chris,

I am now receiving the following error when I try to create a catalogue or when I try to access SOME of the existing catalogues:

PHP ERROR [64] Cannot redeclare class Hook_fields_picture in sources/hooks/systems/fields/ORIGINALpicture.php on line 22 (version: 9.0.6, PHP version: 5.3.22, URL: /ocportal/cms/index.php?page=cms_catalogues&type=add_catalogue)

I sure its something I did (didn't do when I installed the update).

Thanks for any help you can offer.
James.
Back to the top
 
Posted
Rating:
#97024
Avatar

You mustn't leave non-standard PHP files in a hook directory, which you inadvertently did by leaving a backup in there but using the .php extension for it.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#97025
Avatar

Fan in training

Another simple fix from Chris.

Thanks...I knew it was something I did.

James.
Back to the top
 
There are too many online users to list.
Control functions:

Quick reply   Contract

Your name:
Your message: