Support » Plugin: Asgaros Forum » Attachments of a non public forum are public

  • Resolved Thorsten :-)

    (@per4mance)


    Hi,
    First thank you for your lightweight and easy forum plugin. I use your plugin on one of my websites for login users only. When a user uploads images for example, the notification message by Email shows the images within the Email. By click on these images, the user gets the whole url of the images.

    But this should not happen if a forum is non public.

    I would appreciate if I can decide as an admin if I want to send attachments from forum post by Email or not, or if attachments should be public if a forum is non-public.

    Do you agree?

    Thanks in advance for any help to resolve this issue.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Asgaros

    (@asgaros)

    Hello @per4mance

    The emails are only sent to users who have access to those forums, so it should be not a problem. Even when those images are not included, this would not solve the problem you have mentioned. When those users visit a private topic, they can still click on an uploaded file and copy its URL to paste it anywhere else.

    voidray

    (@voidray)

    I also created a private forum, but the issue here is also that the uploaded files are actually public. So anyone who knows the url can download the files. This shouldn’t be the case. The setting regarding showing uploads only to registered users seems to apply only to the forum topic texts.

    • This reply was modified 5 months ago by voidray.
    Thorsten :-)

    (@per4mance)

    @asgaros

    Hi,
    Thanks for your response. Each user can forward emails with ease. If there are attachments included, sent by forum or has an url included, the url is accessible by everyone like @voidray mentioned above.

    For me it’s not secure.

    Plugin Author Asgaros

    (@asgaros)

    Hello @voidray @per4mance

    Yes, I get your point. Basically I stand between two sides here. In the past I got a lot of requests from users who expect that uploaded files/images are shown/included inside of the notification-mails so that there is no need to leave the mail-application and visit the forum. But in this case its only possible to show those images if the content is accessible from without the WordPress ecosystem.

    Currently I am not really aware of a good solution to solve this issue to make both sides happy. A simple htaccess-protestion is not possible here because access is based on different parameters (login, role, group, etc). Providing all uploads via a wrapper-script is also just a workaround because once delivered, a link will be “known/public” again as soon someone copies it and sends it to another place. WordPress also has the same problem with the upload-directoy: Even when a file is not linked somewhere, it can be made public as soon as someone has the url and sends/posts it somewhere else.

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.