Download another user’s files with my session.

    • GONTRÁN URANGA
      Participant
      # 1 year ago

      Hello. My question is the next:
      When you upload a file to a user, the system sends a notification to that user to access the file, and when the log or record downloads it, the user says such a file has been downloaded.
      But if, for whatever reason, another intranet user accesses that link, that other user’s file can be downloaded. And the log says that user so-and-so has downloaded a file from another user.
      There is no way to limit this? Because we understand that it is a security breach, that someone can download another user’s files by having the link in the notification email to that user.
      Thank you so much.

    • Thomas
      Keymaster
      # 1 year ago

      Hi,

      If you copy the link and then paste it in your browser’s address bar, you’ll see that the link is actually not a direct link to the file (the link should not end with “.pdf”), but instead, a link pointing to the private file post. When you connect to that page, the plugin will actually check the current user session, and check if the user is allowed to download the file (eg. administrator, or assigned to the private file post).
      You can verify that by copying/pasting the link into a private browser session, while not connected to the site. You should see a message telling you don’t have the required permissions.

      Also, I would suggest that you make sure your storage folder is inacessible from direct URLs access. Best way is to move the storage folder outside of your webroot (method A.). That way, there should be no way anyone can access your files using a direct link.

      Do not hesitate if anything else is unclear.

      Best regards.

      Want to help WP Customer Area? It only takes few seconds!
      Rate & review the plugin on WordPress.org 🙂

Viewing 1 reply thread

The topic ‘Download another user’s files with my session.’ is closed to new replies.