Kunena 6.2.5 & module Kunena Latest 6.0.7 released

The Kunena team has announce the arrival of Kunena 6.2.5 [K 6.2.5] which is now available for download as a native Joomla extension for J! 4.3.x/4.4.x/5.0.x. This version addresses most of the issues that were discovered in K 6.1 / K 6.2 and issues discovered during the last development stages of K 6.2

Topics that are moved into this category are generally considered to be closed. Users may want to add additional information but these topics should not be resurrected in order to discuss new problems or unrelated matters.

Question Keeping Attachments Hidden

More
12 years 9 months ago #1 by clairence
I am working on a private community for folks who will be sharing possibly proprietary information (files and documents), certainly private information (files, images), and I wonder how I can keep them all secure from logged-out folks? Or, more specifically, folks who are no longer part of the forum?

I ask because I can only access the forum when logged in. I can only post to the forum, and view content on the forum when I'm logged in.

BUT if I locate the direct URL of the attachment, I can view it without being logged in.

example:
http:// example.com/joomla/media/kunena/attachments/43/Not-So-SecureDocument.pdf

*I asked this question at the Joomla forum without reply. I assume this might be a Kunena question.

Perhaps my question could become: how would I set things up so that someone who accesses the attachments folder (or any other in the tree) is redirected to the login page?

Thanks.

Please Log in or Create an account to join the conversation.

More
12 years 9 months ago #2 by sozzled
That's a really good question, clairence, and I don't have a very good answer for you at the moment. The only thing I can think of is something I wrote a long time ago: How to stop visitors from downloading files or other information from your website . The problem with this technique, however, is that once people know the URL of the attachment, they can use that information with impunity and raid your site of the attachments that you've stored.

Therefore, the issue is that Kunena is not a very "secure" file repository, as I wrote in Kunena PHP Download Files / Script . Kunena's main purpose is not to act as a file repository - although it often is used for that purpose - and there are better, more secure repository services for Joomla that you can use instead.

I understand and sympathise with the issue but I do not have a "Fort Knox" solution to the security matters that you may be encountering.
The following user(s) said Thank You: clairence

Please Log in or Create an account to join the conversation.

More
12 years 9 months ago - 12 years 9 months ago #3 by clairence
Thanks for the reply and the links. Interesting reading.

I don't plan on using it as a "repository", but there was concern that the occassional shared image of children at play might be "leaked" by well-meaning friends, beyond the secure forum where the members expect privacy.

It seems a script that would obfuscate the actual file location would be relatively simple to implement (says the person who can't quite figure out how to do it). I did something similar with files uploaded to the main section of this same site (outside of the forum)... Kunena forum topics call a PHP scripted page that pulls the file and re-draws it as a part of the scripted page. A visitor only sees the URL of the scripted page.
Code:
if(referrer is the forum){ $allpages=mysql_query("select * from dbtable where value=request"); while($row=mysql_fetch_array($allpages)){ if($row['FileRelevance']==IntendedParameters){ $pages=$row; } } $choiceurl=$pages['FileName']; $page= path/to/.$choiceurl; $image=imagecreatefromjpeg($page); ## # draw the page as a jpeg ## header('Content-Type: image/jpg'); imagejpeg($image); } else { ## if not referred from the forum, advise to log in echo'<p style="margin-top:50px;font-weight:bold;">Please log in to view this page.</p>'; }

But I don't know how you'd do that within a post itself; this script writes a whole new page.


Anyway... if it's not too late, I'd like to add my voice to what I hope is "significant support for the idea" of including secure files in 1.7.

Thanks again for your response.
Last edit: 12 years 9 months ago by clairence. Reason: clarity

Please Log in or Create an account to join the conversation.

More
12 years 4 months ago #4 by clairence
Turns out there was a simple solution.

I added .htaccess to the /media/kunena folder as a redirect if you arrive there from somewhere other than the forum.
Code:
RewriteEngine on RewriteBase / RewriteCond %{HTTP_REFERER} ^$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com/.*$ [NC] RewriteRule ^.*$ http://www.example.com/forum/forum [R=301,L]

Please Log in or Create an account to join the conversation.

Time to create page: 0.358 seconds