Limit attachment access to paid subscribers?

Started by Sir Osis of Liver, November 26, 2019, 05:50:27 PM

Previous topic - Next topic

Sir Osis of Liver

One of my regulars is a magazine publisher, we're using paid subs for donations on his forum.  We'd like to give subscribers access to back issues (pdfs) as a premium.  The attachments can be posted on a subscriber only board, but they can be accessed with direct links (....../index.php?action=dlattach;topic=2.0;attach=6) by any logged member.  Any way to prevent this?
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Illori


Sir Osis of Liver

Board permissions allow attachment access to be enabled or disabled.  Don't want to disable it on other boards to prevent non-subscribers from viewing/downloading pdfs posted on the subscriber board. 
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Arantor

So make a new permissions profile for that board to limit access.

This is a case of "software working as intended".

Sir Osis of Liver

I know how to limit board access to subscribers, but members not in subscriber group can still access attachments with direct links.  That's what I'm not getting.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Illori

not by default. if they cannot view the board/topic they cannot view the attachment.

Arantor

Quote from: Sir Osis of Liver on November 26, 2019, 06:04:46 PM
I know how to limit board access to subscribers, but members not in subscriber group can still access attachments with direct links.  That's what I'm not getting.


So something is set up wrong, that's the problem here.

Sir Osis of Liver

It's not board access that's the problem, it's linking directly to pdfs with dlattach that bypasses board permissions.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Arantor

Attachments respect board access plus the view permission in that board, in a normally set up forum.

If it is not, you either have a mod that broke it or it is not configured correctly.

Sir Osis of Liver

It's a clean install, board permissions work correctly, but I can still d/l the pdfs with a direct link.  I don't see anything in Display.php that would prevent this.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Arantor

That's because it's not done there.

The direct link includes a reference to the topic. This forces SMF to load the internal data for the board and the topic. In the same way access to topics isn't actually done in Display.php.

I bet you can actually go to the topic normally with the topic id as given, because what you're suggesting as a core bug implies that for the last 10 years SMF attachments have never worked properly and literally no one noticed?

Sir Osis of Liver

Ok, think I've got it now.  Link was being cached, if I clear browser between changes it gets white screen in FF, 403 in IE.  Thanks.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Advertisement: