IPS 4.3 video bypasses download permissions for attachments

Nathan Explosion · April 30, 2018

Something I've spotted while updating my HTML5 video player plugin.

The following is the code generated by the IPS 4.3 native embedding functionality for video file uploads:

<video class="ipsEmbeddedVideo" controls="" data-controller="core.global.core.embeddedvideo">
	<source src="http://localhost/ips_43_test/uploads/monthly_2018_04/small.mp4.93b19bfc90dca714d1337ddc469de357.mp4" type="video/mp4">
  		<a class="ipsAttachLink" data-fileid="1" href="http://localhost/ips_43_test/applications/core/interface/file/attachment.php?id=1" rel="">small.mp4</a>
	</source>
</video>

If the forum in which the attachment has been uploaded then has the 'Download attachments' permission for a group disabled, the above code doesn't adhere to that permission.

This does, as it goes via a PHP file which checks for permissions to 'Download attachments':

http://localhost/ips_43_test/applications/core/interface/file/attachment.php?id=1

This doesn't, as it goes directly to the file:

http://localhost/ips_43_test/uploads/monthly_2018_04/small.mp4.93b19bfc90dca714d1337ddc469de357.mp4

Result: if you were previously uploading videos to a forum post and blocking access to said file using the forum permissions then that's no longer possible.

I'll be adding protection against this to my plugin.

Invision Community 4: A more professional report center

Invision Community 5: A video walkthrough creating a custom theme and homepage

Invision Community 5: Page Builder

Invision Community 5: Editor Permissions and Custom Embeds

IPS 4.3 video bypasses download permissions for attachments

Recommended Posts

Nathan Explosion

Archived

Recently Browsing 0 members

More