Bug #563
closedGroup documents available via raw URL
0%
Description
The plugin BP Group Documents uploads documents to a subdirectory of wp-content/blogs.dir. This means that all documents are publicly available via URL, regardless of the status of the group. Normally this is not a problem, as the filenames are prepended with a timestamp and thus quite obscured, but it does mean that if the URL gets out (and posted on another public site), Google will find it.
Updated by Boone Gorges about 13 years ago
- Status changed from Assigned to Resolved
I have resolved the problem by moving the upload location outside of the web directory. All requests for group documents now go through a URL commons.gc.cuny.edu/?get_group_doc=xxxxxx where xxxxxx is a long string corresponding to the group document. A script then parses the get_group_doc query, identifies the associated group, and sees whether the group is public. If it's not, it then checks to see whether the logged-in user has access to the group (ie is a member). If so, the download goes through. If not, the user is directed to the group page, with a message saying that the user needs to be logged in and a member of the group to access the document. This fixes are in https://github.com/castiron/cac/commit/8bb02a909f9dd91c01bacf89fb0a6dbcd6f72a62
I also put a rule into .htaccess so that old group document URLs would continue to work, by redirecting to the new URLs. This ensures that URLs will not break, but that old docs will still be inaccessible to non-group-members. This fix is in https://github.com/castiron/cac/commit/23f03a25b04049eae7d97d8b7a572d7b5aa185fa
Updated by Matt Gold about 13 years ago
Thank you for your great work on this serious issue, Boone.