×
Kunena 5.1.16 Released (18 Mar 2020)

The Kunena team has announce the arrival of Kunena 5.1.16 [K 5.1.16] which is now available for download as a native Joomla extension for J! 3.9.x. This version addresses most of the issues that were discovered in K 5.1 and issues discovered during the development stages of K 5.1.

× Topics that are moved into this category are generally considered to be closed. Users may want to add additional information but these topics should not be resurrected in order to discuss new problems or unrelated matters.

Question Authorisation for Attachments not working correctly (Kunena 2.0.2)

More
7 years 4 months ago #1 by afritz
My configuration of Kunena allows only moderators to attach regular files (like txt,pdf). However, even if a user is a moderator for a category, he cannot upload those files. Kunena displays a warning message with the list of allowed file types. This list is correct and includes the extension of the uploaded file.

I already debugged this issue and found the reason for this behavior:

CKunenaUpload (lib/kunena.upload.class.php) is responsible for handling the upload. In its constructor, it generates the lists of valid extensions:
function __construct() {
	...
	$this->validImageExts = (array) KunenaForumMessageAttachmentHelper::getImageExtensions();
	$this->validFileExts = (array) KunenaForumMessageAttachmentHelper::getFileExtensions();
	...
}

However, it does not pass the category and user to getImageExtensions and getFileExtensions. So these functions cannot properly check whether the current user is a moderator for the category of the post. Also, note the different first lines of the two functions:
static public function getFileExtensions($category = null, $user = null) {
	$category = KunenaForumCategoryHelper::get($category);
vs.
static public function getImageExtensions($category = null, $user = null) {
	if ($category !== null) $category = KunenaForumCategoryHelper::get($category);

As file extensions of images are checked similarly, I expect that this bug affects those as well.

I assume that patching is straightforward with this information for someone who knows where to take the category and user from.

Thank you very much!
The following user(s) said Thank You: xillibit

Please Log in or Create an account to join the conversation.

  • Not Allowed: to create new topic.
  • Not Allowed: to reply.
  • Not Allowed: to edit your message.
Time to create page: 0.086 seconds