Jump to content

Community

IP Downloads: Users can see downloads sended by other users?


Recommended Posts

The purpose of this feature is to allow the member to send personal documents for the staff. At the moment I need to create a group for each member who wants to send us their ID and then this group is associated with a subcategory in the downloads (IP Downloads offers the possibility to store information in a kind of vault). While the functionality that is available for the forums allows to create a kind of DropBox alone, the interested person sees these files except for the staff.

Link to post
Share on other sites

Hello bfarber,

13 hours ago, bfarber said:

An alternative might be to use clubs for your purposes. Clubs can contain download categories and you can explicitly control who has access to individual clubs.

I use clubs but it's not same feature, I would have to create a unique club for each member to send me the documents.

The principle is that only the member sees the sending of these files with the staff. This simplifies user administration.

Link to post
Share on other sites
6 hours ago, Daniel F said:

Do you really need IP.Downloads for this? Can’t you use topics to upload the file ? 

Hello,

No, uploads in the forum are not secured like in IP-Downloads which offers a vault (the download link does not correspond to the location of the real file).

We discovered in the website logs robots that are constantly downloading files sent by members in the while they have never logged in. It's a real security problem in addition to being a bandwidth bottleneck. If the files sent to the forum were protected by the same method as IP-Downloads (except for screenshots) then the question would not arise.

Link to post
Share on other sites
9 minutes ago, MEVi said:

Hello,

No, uploads in the forum are not secured like in IP-Downloads which offers a vault (the download link does not correspond to the location of the real file).

We discovered in the website logs robots that are constantly downloading files sent by members in the while they have never logged in. It's a real security problem in addition to being a bandwidth bottleneck. If the files sent to the forum were protected by the same method as IP-Downloads (except for screenshots) then the question would not arise.

Is there a reason to have the forum public then? Can just restrict access to the forum to not be seen by guests and the attachments will not be visible to guests.

Link to post
Share on other sites
2 minutes ago, Jim M said:

Is there a reason to have the forum public then? Can just restrict access to the forum to not be seen by guests and the attachments will not be visible to guests.

We have already tried it and it does not guarantee the confidentiality of information even if the forums are not open to the public, they are visited by robots. Did the member provide the possible web link although many members say no.

Link to post
Share on other sites
27 minutes ago, MEVi said:

No, uploads in the forum are not secured like in IP-Downloads which offers a vault (the download link does not correspond to the location of the real file).

Holup.

Are you saying that if someone adds an attachment to a thread that only certain user groups have access to, the url to the attachment is not restricted via a link that checks for permissions on accessing?

Is this really only security through obscurity?

Link to post
Share on other sites
19 minutes ago, MEVi said:

We have already tried it and it does not guarantee the confidentiality of information even if the forums are not open to the public, they are visited by robots. Did the member provide the possible web link although many members say no.

This is incorrect or something is not quite right with your permissions you've set. If a member group does not have access to a forum, they cannot access attachments or the topics in that forum. (NOTE: embedded images will be available, however, as these are handled differently but sounds like this is not your case.)

If you've previously had the forum open to the public, bots may have stored those URLs and be attempting to access them. However, they will receive permission denied messages.

If you would like to submit a ticket, we're happy to give your permissions a once over for you.

Link to post
Share on other sites
5 minutes ago, Jim M said:

This is incorrect or something is not quite right with your permissions you've set. If a member group does not have access to a forum, they cannot access attachments or the topics in that forum.

If you've previously had the forum open to the public, bots may have stored those URLs and be attempting to access them. However, they will receive permission denied messages.

If you would like to submit a ticket, we're happy to give your permissions a once over for you.

The number of members on the site is low and yet the bandwidth used is astronomical. Analyzing the logs, I see that the robots, download tirelessly, all the public attachments. But if I look closer, I see that some sections of the forum are not public yet robots also manage to download them. I have experienced this on this website public and private area and I can download the following files as members via the direct link. Example:

Public in Marketplace
https://dne4i5cb88590.cloudfront.net/invisionpower-com/monthly_2020_02/3.png.6d953f0b693ef5124a25d0bf1c5e9be4.png
Private in Client Lounge 
https://dne4i5cb88590.cloudfront.net/invisionpower-com/monthly_2021_01/image.png.bef72f47d79479df595fb89022922100.png

Yes, he doesn't see the content of the forum discussions, but can download the files independently if they are a member or not. That's why IP-Downloads is ideal and should be the standard.

20 minutes ago, Paul E. said:

Holup.

Are you saying that if someone adds an attachment to a thread that only certain user groups have access to, the url to the attachment is not restricted via a link that checks for permissions on accessing?

Is this really only security through obscurity?

Attachments are accessible via the direct web link in the forum while in IP-Donloads it's not the case it's a URL key that is generated for each member and for a limited time which is great in terms of security. You cannot download Marketplace items via a direct web link, so why don't I extend this to the forum ?

Link to post
Share on other sites
2 minutes ago, MEVi said:

The number of members on the site is low and yet the bandwidth used is astronomical. Analyzing the logs, I see that the robots, download tirelessly, all the public attachments. But if I look closer, I see that some sections of the forum are not public yet robots also manage to download them. I have experienced this on this website public and private area and I can download the following files as members via the direct link. Example:


Public in Marketplace
https://dne4i5cb88590.cloudfront.net/invisionpower-com/monthly_2020_02/3.png.6d953f0b693ef5124a25d0bf1c5e9be4.png
Private in Client Lounge 
https://dne4i5cb88590.cloudfront.net/invisionpower-com/monthly_2021_01/image.png.bef72f47d79479df595fb89022922100.png

Yes, he doesn't see the content of the forum discussions, but can download the files independently if they are a member or not. That's why IP-Downloads is ideal and should be the standard.

Apologizes, I updated my previous post after you quoted. Images are available as they are handled differently. I didn't mention this originally as thought by "documents" you mentioned these would not be images in your case. Files which are downloaded, such as word docs, zip/archive files, etc... are protected under this.

Link to post
Share on other sites
12 minutes ago, Jim M said:

Apologizes, I updated my previous post after you quoted. Images are available as they are handled differently. I didn't mention this originally as thought by "documents" you mentioned these would not be images in your case. Files which are downloaded, such as word docs, zip/archive files, etc... are protected under this.

Indeed it is not possible to download word docs, zip/archive files, etc... 😅

The members send legal documents and often he takes a photo with their signature. Is there a setting in the forum to extend this protection to the other file type (photo and co)?

Link to post
Share on other sites
4 minutes ago, MEVi said:

Indeed it is not possible to download word docs, zip/archive files, etc... 😅

The members send legal documents and often he takes a photo with their signature. Is there a setting in the forum to extend this protection to the other file type (photo and co)?

Not at this time.

I did bring this up internally for discussion.

Link to post
Share on other sites
On 1/20/2021 at 7:42 AM, MEVi said:

The purpose of this feature is to allow the member to send personal documents for the staff. At the moment I need to create a group for each member who wants to send us their ID and then this group is associated with a subcategory in the downloads (IP Downloads offers the possibility to store information in a kind of vault). While the functionality that is available for the forums allows to create a kind of DropBox alone, the interested person sees these files except for the staff.

I wonder if something like Application Forms by @Fosters might be a better workflow for you.  

Link to post
Share on other sites

Hello @Joel R,

In this context the forms are unsuitable, because the problem with the photos is the same as in the forum, etc. This prompted me to open this topic, without noticing that ZIP files are secure because there is no direct URL possible. Some file types (MIME) such as .JP?G ; .GIF ; .PNG are not secure and should be fixed.

Edited by MEVi
Link to post
Share on other sites
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

We use technologies, such as cookies, to customise content and advertising, to provide social media features and to analyse traffic to the site. We also share information about your use of our site with our trusted social media, advertising and analytics partners. See more about cookies and our Privacy Policy