Question Visibility of attachments and image for guests

Hi
In version 1,5x and 1,6 koonena introduced and gave us
the tools (visibility of attachment and image for guests)
unfortunatly there has been a few problems,and I would like to see
if these issues can be solved.

1. when user through login is granted access to download links,
user can copy link and give a way to a non member and without logging in and still
access the file,video..etc ???


2. When saving a single link in PDF format and links are saved in PDF as well....
is there no way to solve this issue?


I would appreciate any help admins or users can give me regarding
the 2 issues above.

Users can copy file links and give them to other peopleWell, yeah, that's a problem isn't it?

I think it's important to keep in the back of your mind that Kunena is a web-based discussion forum product. Even though you can restrict access to the discussions, you can't prevent your users misusing their privileges to pass information in other ways. The features built into K 1.5.12 and K 1.6 merely hide attachments from those who are not logged-in; that is to say, if you are not logged-in you are not able to see the link to the attachments. But if you could find the link to the attachment then you would have access to that attachment.

The solution to this problem lies in webserver security. You can apply security via other software - you might even be able to do something with the .htaccess file - but I don't know how it's done.

When saving a single link in PDF format and links are saved in PDF as well I'm sorry but I don't understand the connection between this statement and Kunena. Can you provide more information to help me understand the issues better, please?

Hi @sozzled thx for reply:)

please look below link:

Video

any idea?

Thank you. Very good demonstration of a Kunena 1.5-related issue. There isn't any PDF function in K 1.6 so your second question (about links in PDF files for K 1.6) doesn't apply.

I think that we'll have to take this question on notice (at least as far as K 1.5 is concerned) and come back to you later.

I will be waiting for answer

Actually, this is a very big issue. I only discovered this myself two weeks ago while I have been a happy kunena customer for the past year and FB before. It never occurred to me that my files were "open" to the public. While the use of a blank index.html in every directory helps, this doesn't solve the issue.

I looked at my other forum, phpbb which I use because I need group access to different sub-forums, and while the files are stored in the files directory, 1) by default the httaccess file is set so the directory is not accessible and 2) all the file names are nonsensical eg 2_0122d903f2adfc5100723a5d974daf8e. I recognise we can play with the httaccess file to restrict access however this is not for the faint hearted.

I wonder, moving forward, why can't the files be stored above the public_html folder. This is done with moodle where the moodledata directory is not public and users can still access, edit, add, delete content. This could be configurable so that those who do not have access to folders above public_html can still use kunena but for those who require the additional security the option is there.

I wonder is this something that we could hack to make work? Can we point kunena to a location above public_html?

Thanks in advance for your thoughts

Chris

bump

Can somebody share if the Kunena team will be looking at these security issues.

Is it possible to hack Kunena so that the attachments & pictures are stored above the public_html directory?

I would like to bump this post. Perhaps this is something that could be looked at as part of Kunena 2.0?