Chris Howell
New Member
Posts:3
 |
| 06/01/2021 7:45 PM |
|
I think I've found a bug, using DMX 6. I have a DNN install with 20+ portals.
Steps to reproduce:
1. Get a link to one of my own files: https://www.domain.com/DesktopModules/Bring2mind/DMX/Download.aspx?PortalId=10&TabId=20&EntryId=30&local=true
2. This link gives me direct access to the file (bypassing all permission checks)
3. Strip out all query string parameters except for EntryId: https://www.domain.com/DesktopModules/Bring2mind/DMX/Download.aspx?EntryId=30 (file access still works)
4. Increment/Decrement EntryId - gives me access to files in other portals
File access is set for "AllUsers" (to share files with 3rd parties), which assumes anonymous access, but I think DMX should not be serving up files unless PortalId from query string matches the portal for given EntryId.
Let me know if there's a setting to force PortalID check.
Thanks |
|
|
|
|
Peter Donker
Veteran Member
Posts:4536
|
| 06/02/2021 10:16 AM |
|
Hi Chris,
All file access is checked at a deeper level. So whenever you "fudge" a url by changing the entryid, the underlying process still checks to see who is logged in and checks that with the entry. I can only conclude that you had access to those files. Either because they were available for "All Users" or because your login had sufficient permissions.
If you feel this was not the case, don't hesitate to reach out and I'll be happy to trace it with you. But I'll need access to the data so I can see the relevant bits.
Peter |
|
|
|
|
Chris Howell
New Member
Posts:3
|
| 06/02/2021 6:08 PM |
|
Hi Peter,
Yes, "All Users" had access, so at the end of the day the file was public.
I guess this confirms that PortalId in the query string and host name of the portal are ignored.
This in turn means that files uploaded by www.portal8.com can be seen on any other portal (e.g. www.portal4.com) as long as you get the EntryId right and files are public.
Please confirm.
|
|
|
|
|
Peter Donker
Veteran Member
Posts:4536
|
| 06/02/2021 7:41 PM |
|
Yes. You can hammer the API with entry ids and you'll get those files returned if you have access. I'll change this to recheck the portal ID.
Peter |
|
|
|
|
Peter Donker
Veteran Member
Posts:4536
|
| 06/02/2021 8:58 PM |
|
New release fixes this: 06.04.06.
Peter |
|
|
|
|
Chris Howell
New Member
Posts:3
|
| 06/02/2021 9:51 PM |
|
Thanks you Peter.
Another question: Can I set default permissions on the root folder of any given portal, so when I add folders/files to the root it will select default permissions and will not check "All Users" which it currently does?
Thanks |
|
|
|
|
Peter Donker
Veteran Member
Posts:4536
|
| 06/04/2021 11:06 AM |
|
You can't no. The root is actually a virtual element and not intended to be used as a folder in the same sense as other folders. If you have specific permission needs, you need to create a folder with those permissions and set that as a root.
Peter |
|
|
|
|