Implement sharing of attachments

[KT Walrus]

Could you please consider moving the sharing of attachments across different topics/posts to the top of your todo list?

I suggested months ago that the attachment bbcode be allowed to refer to attachment ids in other posts or copies of an attachment could be attached to a new post without re-uploading, but was told that this was not a practical solution to implement (still don't understand why).

Another approach to sharing files is to associate a URL for each attachment as a "sharing" URL (or bbcode) like YouTube or other file sharing sites do.

I have a need for the administrator to attach some files to a pm or personal topic and allow the user to attach that file to one of their other posts. I really would prefer not to require the user to download the attachment and then re-upload it. Some users would need help even performing this action. Better to tell them to select the "sharing" or "add to post" link and paste it into a post to use.

One of the uses of this is to allow iPhone users to attach photos to their posts (by having them email the photo to the board which would attach them to a pm and have them reattach this photo to a post made or edited from the iPhone). iPhone users can't upload attachments without having a custom app written for the site (like Facebook).

[mld11]

A "sharing url" would result in your content being easily shared among other sites, thus rending registrations pointless.

As for pointing to downloads on your own site, you can simply still use the URL in the topic, just link to it.

[KT Walrus]

[quote name='Dark Slipstream' date='24 November 2009 - 05:31 PM' timestamp='1259101878' post='1882195']
A "sharing url" would result in your content being easily shared among other sites, thus rending registrations pointless.

Don't get hung up on terms here. I want to share attachments in posts or pms that aren't necessarily visible to the viewers of the new post that I use the sharing URL in. The sharing url can just be the current attachments bbcode as far as I am concerned, but whatever works best is okay with me.


I want to share photos primarily (but also mp3 files and other attachments). I don't want to share a URL since you don't see the photo inline (or thumbnail) in the new post and the original pm or post that has the attachment might not be visible to the viewer.

As for pointing to downloads on your own site, you can simply still use the URL in the topic, just link to it.

[bfarber]

The only roadblocks are permissions (that's what I said before about the practicality of the suggestion).

We can't just allow any attachment to be downloadable to anyone in the event it's reused somewhere in a forum post. Imagine PMing an attachment to a friend and some member randomly manages to guess the id and download it, even though it was a private attachment.

We'll first have to figure out a system to allow this permissions-wise. I'm certain that won't happen until the next major point release (i.e. 3.1, rather than 3.0.x) at the earliest.

[KT Walrus]

[quote name='bfarber' date='24 November 2009 - 06:18 PM' timestamp='1259104738' post='1882212']
We can't just allow any attachment to be downloadable to anyone in the event it's reused somewhere in a forum post. Imagine PMing an attachment to a friend and some member randomly manages to guess the id and download it, even though it was a private attachment.

Well, I would be okay with having an owner (member_id) associated with each attachment and that the only user that could cross post the attachment to another topic was the same owner. If you used the existing attachment bbcode, then any subsequent poster in the thread could also use the cross posted attachment id. That is, when posting or editing a post, a check could be made to process or ignore the attachment id based on the original author of the post being the owner of the attachment or the attachment id having the topic id of the topic or the attachment id has been previously used in the topic.

This would mean that when the post is first made or edited and contains an attachment id, a check would be made that the attachment id has been previously attached to the topic (as is now the case) or the attachment id is "owned" by the original post author (not necessarily the editing member) or an administrator. If this check succeeds, then the attachment id would be recorded as being attached to the topic (another row in the attachments table in the database would be added). One point is that the owner of an attachment in a pm would be the recipient and not the sender. This is because the recipient is the one that could have downloaded and re-uploaded the file in the pm if this capability didn't exist.

Since the cross posted attachment is added as a topic attachment when the post is created or edited, no other IPB code should have to change. Only the check to see if the attachment id is a valid cross posted attachment and a new topic attachment row would need to be made in the database (and probably marked as a cross posted attachment). Also, might need to make some slight changes to handle deleting the original attachment not deleting cross posted attachments (and the original file) and the deleting of a cross posted attachment not affecting the original attachment. You probably had to handle this case in the pm attachments when the attachment is copied to copies of the pm sent to multiple users.

[mld11]

Not sure what an owner could do, but what about a user array for uploaded attachments.

I guess regular permissions are still the default, but when downloading the attachment via URL (or bbcode, w/e), the checks could see if the user's id belongs in the array, and then allow them to download.

And the owner of the attachment (uploader) and/or administrators (or super mods) have the permissions to share the file with others.


:)

[bfarber]

[quote name='KT Walrus' date='24 November 2009 - 06:49 PM' timestamp='1259106555' post='1882221']
Well, I would be okay with having an owner (member_id) associated with each attachment and that the only user that could cross post the attachment to another topic was the same owner. If you used the existing attachment bbcode, then any subsequent poster in the thread could also use the cross posted attachment id. That is, when posting or editing a post, a check could be made to process or ignore the attachment id based on the original author of the post being the owner of the attachment or the attachment id having the topic id of the topic or the attachment id has been previously used in the topic.

This would mean that when the post is first made or edited and contains an attachment id, a check would be made that the attachment id has been previously attached to the topic (as is now the case) or the attachment id is "owned" by the original post author (not necessarily the editing member) or an administrator. If this check succeeds, then the attachment id would be recorded as being attached to the topic (another row in the attachments table in the database would be added). One point is that the owner of an attachment in a pm would be the recipient and not the sender. This is because the recipient is the one that could have downloaded and re-uploaded the file in the pm if this capability didn't exist.

Since the cross posted attachment is added as a topic attachment when the post is created or edited, no other IPB code should have to change. Only the check to see if the attachment id is a valid cross posted attachment and a new topic attachment row would need to be made in the database (and probably marked as a cross posted attachment). Also, might need to make some slight changes to handle deleting the original attachment not deleting cross posted attachments (and the original file) and the deleting of a cross posted attachment not affecting the original attachment. You probably had to handle this case in the pm attachments when the attachment is copied to copies of the pm sent to multiple users.


That sounds relatively resource intensive. You have to understand that the attachment system does NOT (at all) work based on WHERE the attachment bbcode is posted. It works based on where the attachment was UPLOADED. That's how permissions are verified.

[KT Walrus]

[quote name='bfarber' date='25 November 2009 - 10:46 AM' timestamp='1259163974' post='1882365']
That sounds relatively resource intensive. You have to understand that the attachment system does NOT (at all) work based on WHERE the attachment bbcode is posted. It works based on where the attachment was UPLOADED. That's how permissions are verified.



I understand that. How can it be resource intensive to add code to check permissions when posting or editing a post? Just need a quick match to see if the changed text has a bbcode that might be a cross post attachment. This has nothing to do with the other UPLOAD permission checks. Just a little new code in post processing and only when new text is stored in the database. Only when a new cross post attachment is detected is a permission check done to see if the poster has the permission to cross post this attachment and a new attachment row for the topic is added to the database. Existing UPLOAD processing isn't affected at all since the cross posted attachment is not being reuploaded (just cross posted).

[bfarber]

None of this is done at all now, so all resources related to this would be added to current resource usage of posting (keep in mind)...

We'd have to

1) Parse the post looking for attachment bbcodes (which we don't do now)
2) For any found, run a query to lookup the attachment based on the ID
3) Determine if it's already public (which could be a challenge upon itself - would need callbacks for other apps like blog that might need to run custom code to verify if attachment is normally publicly viewable). What would be public at this point? Member can view? Guest? Poster? Owner is poster?
4) If not, then is it the owner posting? Has this attachment already been used elsewhere that IS public by the owner? This right here would be difficult.

Overall the nature of how this would work is very unstable and unreliable. What would be better I think is a proper attachments manager where the owner can check a box or something to make their attachment public, and then it can just be re-used anywhere without permission checking for view. As for download, I'm not sure yet what we would do. If an admin says guests can't download attachments in Forum A, we wouldn't a member to be able to override that decision. Would they post the attachment in a public area, then re-use it in Forum A? What happens if they post it in Forum A and re-use it elsewhere? What if the admin doesn't allow members to download attachments in Forum A, but does in Forum B, and it's re-used in one location or another? Or what if it's posted in blog, but then re-used in Forum A?

There's a million what-ifs here that need to be resolved before we can do such a thing..

[KT Walrus]

I think you are making this more complicated than it has to be.

I went ahead today and added a button on the post form next to the attach files button to "re-attach files". When clicked, it does a AJAX popup div with a list of all the attachments for the member ordered by most recently uploaded first with checkboxes for selection. Then, I just attach the selected ones to the current post (so they show up in the attachments list that the js builds).

I don't use quotas for disk space and don't bother letting members delete attachments so this is all I have to do to get the feature I want. I'm working on sucking in a photo attachment to a board email address and attaching it to a pm for the user that sent the photo so they can "re-attach" the photo to a new post.

I just want to allow users to post photos from their phone.

[Luke]

Brandon, I also think you're making this harder than it needs to be. I'm going to make some assumptions here, so please bear with me.

When a new attachment is made within the topic a single record is made in the attachments table linking to the topic in question. When the topic is loaded it loads all the attachments linked to it into memory. Then when the attachment bbcode is crossed it replaces valid attachments. Does this sound about right?

So the problem I see with this is if you put an attachment bbcode in that was not loaded when the topic record was got, then you have to verify that the user has the permissions to view each attatchment. This, as you said, would be resource intensive because you'd have to load the attatchments individually and verify their permissions individually. The current system, as I understand, simply loads the attatchments that are linked to the currently viewed topic.

What KT is getting at is if you put in an attatchment bbcode into a post that is not in the topic you can, at posting time, verify that the attatchment belongs to the poster and add a new record (new attatchment id) to the attatchments table. What you'd have to do, however, is physically change the attatchment bbcode to the new id (although if the file name is based on id, you'd need to duplicate the file too, which is not very good).

I don't really know exactly how it works right now, but it seems to me that it can still work exactly the way it is now... You just need another record pointing to the same file and make sure that if one link is deleted the file isn't until all attatchment links (records) are deleted.

It would take a few changes, but I don't believe it's that hard to do. The whole idea is to have an attatchment record for every topic the file is posted in (origonally by the owner of the attatchment), and have it link to the same file.

(Keep in mind that I understand that it would be nice to have every xyz feature and these things take time. I'm just reiterating a hopefully simpler approach)

[Darky999]

I'm not sure what you mean by this? Are you saying that if someone uploaded an image in one topic, then only that person could re-reference it in another topic? What would then happen if you asked someone to make an image for you and they uploaded it for you to use elsewhere in the site? Example, Member X asks someone to make a cool looking chart for their blog, Member Y does so and uploads it in the topic that topic the image was requested. Currently Member X would need to download and save the image, and then re-upload it himself, which is a pain. What the system needs to do is allow anyone to use attachment BBcode (or at the very least, IMG tags) and take that existing image URL and embed it anywhere else they want. Brandon, I think the *simplest* solution here is to simply offer a global option in ACP: override all local forum attachment viewing/download permissions and allow attachments to be shared globally. A simple disclaimer for the site owner explaining that this means attachments may no longer be private or secure, but allows them to be embeddable anywhere. For someone like me, privacy and security is not as important as one of my staff members being able to create an image for another staff member to use in one of their news posts.

verify that the attatchment belongs to the poster

[MaNiAc LRSC]

The "public" button would be nice!