Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

File downloadable, regardless of FE Group #233

Open
cyrotek opened this issue Dec 8, 2023 · 5 comments
Open

File downloadable, regardless of FE Group #233

cyrotek opened this issue Dec 8, 2023 · 5 comments
Assignees
@FamousWolf

Comments

@cyrotek
Copy link

cyrotek commented Dec 8, 2023

It seems I found a bug, whatever usergroup I have, i can download a file when it's linked somewhere. The folder it contains does have a specific group restriction that does not match my own group. I also tried to create a new Folder and add a random file, give the folder a random group (which my test user doesn't have) and try to download it. Successful...

I'm running Typo3 11.5.31 with the Extension in 5.05.
@TimWilms
Copy link

TimWilms commented Jan 3, 2024

Hi @cyrotek ,

Wij have looked into your issue, but we can't seem to reproduce the problem that you are experiencing. Did you create a separate local file storage that has "Is publicly available" turned off? Please make sure you do so. This will not work on the default content local storage.

@kanow
Copy link

kanow commented Aug 12, 2024
edited
Loading

I can confirm that issue in TYPO3 12.4.14. I have a protected folder outside of the web root in my local docker environment.
The storage has the "Is publicly available" setting turned off. I set acces for the storage to "show if user is logged in". So I assume that only logged in users can see/download files in it. But if I log in with a fe user and copy the generated link to that protected file, then I can paste it in another browser window and see/download the file without login to page.

I'm using version 5.0.7 of fal_securedownload.

@FamousWolf FamousWolf self-assigned this Aug 19, 2024
@FamousWolf
Copy link
Contributor

After some tests I've been able to reproduce this problem. It happens when there are no restrictions set to the file or folders the file is in. The problem is in BeechIt\FalSecuredownload\Security\CheckPermissions::checkFileAccess. If the storage is not public and there's no backend session (or the backend user does not have access to the storage), the access for the folders and file are checked. If no access restrictions are set to the folders and files it returns true, but it should return false.

I'll have to test if removing the return true here doesn't cause other problems.

FamousWolf pushed a commit that referenced this issue Aug 23, 2024
[BUGFIX] Fix permission check for public files/folders in restricted …
02983c2 
…storage

Resolves: #233
@FamousWolf
Copy link
Contributor

Removing the return true if there is no access restriction to the folders and file will mean the file is never accessible. The problem is that you can create a tx_falsecuredownload_folder record on the storage root, but it's not checked. We'll have to add a check for that.

@FamousWolf
Copy link
Contributor

My solution wasn't a solution. The functionality is correct.

@cyrotek @kanow It could be that you're logged in to the backend. If so, any browser window/tab with the same session will have access to all files your backend user has access to regardless of any frontend login.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@FamousWolf FamousWolf

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@FamousWolf @kanow @TimWilms @cyrotek