Security question(s)

**Mike Sullivan** · Wed 15 Aug '01, 8:00am

That's not to say they're *actually* viewing it, but rather trying to view it most likely (and getting a no permission screen).

Try it yourself -- logout and try to go to that attachment.

**splooge** · Wed 15 Aug '01, 9:00am

Thanks for the reply, and a great piece of software.

I have two follow up questions.

1) You're right, when I logout I cannot see the attachment. How is it possible that someone would 'try' to view that attachment when they shouldn't ever know about it (or the link to it, which was in the private forum (The link being the link to the picture in the database, not a picture inserted with the IMG option)) in the first place? It seems like http://vex.pwned.com/attachment.php?s=&postid=138 would be an awful hard link to "guess" at if you didn't have permission to view the forums in the first place.

2) Regarding access masks being on or off. Are these good for anything other than assigning implicit permissions to users for certain forums that may fall out of their normal usergroup access via the "Edit forum access for this user" option? I haven't found anything regarding access masks in the on-line documentation. =(

Thanks again for the quick reply it's most appreciated.

**Mike Sullivan** · Wed 15 Aug '01, 10:08am

1. They're probably just manipulating the URL, looking at all the attachments.

Regarding access masks being on or off. Are these good for anything other than assigning implicit permissions to users for certain forums that may fall out of their normal usergroup access via the "Edit forum access for this user" option?

That's about the purpose they serve IMO (and I coded them!) -- it saves creating a bunch of usergroups if you have a bunch of different groups of people who don't meet the "normal" settings.

**splooge** · Wed 15 Aug '01, 1:59pm

Much appreciated! You've taken a load off my mind. =)

The access masks were confusing to me until explained just now, I felt I was doing something terribly wrong. Apparently some things can be as easy as they seem.

Thanks again.

**splooge** · Mon 20 Aug '01, 8:21am

I still seem to be having an issue. Is there any logical explanation for this? This is a cut/paste of who's on-line.

Aedra Viewing Thread Going to be gone for a week or two. 02:59 PM 64.208.159.230
Matroni Vexare Forums Main Index 02:56 PM 199.84.173.3
Rashen Viewing Thread twinks? 03:02 PM 24.247.63.200
Reipin Pillage Vexare Forums Main Index 03:02 PM 207.198.251.52
Guest Viewing Attachment in Thread I'm bored at work.. RL pic thread... 02:57 PM 64.208.159.230
Guest Viewing Attachment in Thread I'm bored at work.. RL pic thread... 02:57 PM 64.208.159.230

look at aedras IP and the two guests IP's. This user is behind a firewall of some sort -- is that the problem?

My users are screaming mad about security at the moment. They're convinced that people are coming and reading our private forums -- because this attachment that the user 'guest' is viewing is in a private forum. Unfortunately I don't know enough to even try to convince them otherwise.

Can someone tell me if they can get access to my private boards? I guess I may have security set up wrong. http://vex.pwned.com

I am probably over reacting. =(

**Freddie Bingham** · Mon 20 Aug '01, 8:25am

And your sure that those guest sessions aren't actually from Aedra before he/she logged in?

At any rate, as said before, Who's Online does not give any one special powers, it is only relating what is in the session table.

**Mike Sullivan** · Mon 20 Aug '01, 2:16pm

Can someone tell me if they can get access to my private boards?

Nope -- only see the public stuff.

**seemaxrun** · Wed 22 Aug '01, 3:37am

Have you double checked your forum jump menu while not logged in? I have private forums that show up on the jump menu -- no one without authorization can access the private forums using the jump menu but they can see them to try to access them. I have not changed it because it is not important to me whether they know what is in there just that they cannot enter the private forums without permission but that could be a way your guests are seeing those forums to try to look at them.

You can edit the jump forum menu in your templates if that is a problem.

Also have you double checked all user groups' permissions including users waiting for email notification? I missed that one on my first run through and had some interesting things happening with registered users not being able to post places where non-registered members could post and were not supposed to be able to.

**SuprSurfr** · Tue 16 Oct '07, 1:16pm

Is there a way that attachments posted in a private forum can be kept private?
If someone that has access to the forums and copies the link to the attachment ID and gives the link to someone without access, they can view the attachement. I would like it to ask them to login if they try to view the attachment, and if they dont have permissions to the forum where the attachment resides to give them an access denied message.

Is this possible?

**SuprSurfr** · Sun 28 Oct '07, 9:09am

Bump

**Steve Machol** · Sun 28 Oct '07, 9:16am

If the permissions are set correctly, then this will not happen with the default vB. If you have further question you should start a new thread with all the relevant info.

Security question(s)

Security question(s)

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment