No announcement yet.

Attachments: Server file rights and Member access rights?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Attachments: Server file rights and Member access rights?

    Quick questions about how vb3 handles attachments—

    I understand that attachments can be setup in the admin panel to store as actual files on the server rather than embedding them in the database itself.

    1) Files stored on server: Can vb3 store these by username? For example, if user 'Goober' uploads 'mylizard.jpg' can it land on the server (viewable by admin FTP, etc.) as 'Gobber_mylizard.jpg' ? If not, how does vb3 store/encode them and does the admin panel provide a way to view attachments by user, and to view those attachments quickly (like loading them into a big page or using ACDSee, etc., to thumb through pics fast), with or without a means to delete them?

    2) Attachment files written to a folder: I noticed that Invision forum boards write attachment rights such that I (as admin via FTP) cannot delete them: Access Denied. My only recourse is to use SSH to login as full Root before I can delete them. Does vb3 have this same issue?

    3) Member rights to attachment: Are attachments stored in a folder/directory below the web/html folder so that direct URL addressing won't allow attachments to be displayed by anyone? That is, does a vb3 .php 'attachmentview' page have to check user rights and then go out and read the attachment for that user as a security measure?

    4) Is it possible for attachments to be set so that the owning user/member cannot delete them or replace them? If so, can a time limit be placed on replacing/changing the attached file (similar to how they have a time limit on editing their posts but after that the text is locked and only a mod can edit it)?

  • #2
    1) vBulletin stores attachments in folders by userid. Each file within this folder is named by its attachment ID and the extension attach for security purposes. There is a section in the Admin CP labeled "Attachments" where you can maintain, list, search and moderate attachments.

    2) This is a limitation of the permission system used by the filesystem. By default the system creates these with the permission of 0777 which means you should be able to delete them as a normal FTP user.

    3) You can store attachments outside of your webroot and it is recommended that you do this for security purposes. When using the built in viewing script, it checks vBulletin permissions before showing it to anyone.

    4) This is not an option at this time.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API - Full / Mobile
    Vote for your favorite feature requests and the bugs you want to see fixed.


    • #3
      In regards to number 4, if a user doesn't have permission to edit a post, then they won't be able to add/delete attachments from a post either.


      • #4
        Originally posted by Freddie
        ...if a user doesn't have permission to edit a post, then they won't be able to add/delete attachments from a post either.
        Ahhh.. excellent!! Thanks, guys! VB3 has shaped up to the best forum boards I've seen yet!

        My last two questions on attachments (I promise):

        1) The attachments manager in the User CP: I don't have attachments here so was unable to try this... But, I assume this can let the member review/manage all of his/her attachments? If so, are they also prevented from actually modifying/replacing/deleting those attachments from this utility when they don't have rights to edit the post text those attachments are in?

        2) Does the Admin attachment viewer, in addition to being able to "maintain, list, search and moderate attachments", also allow you to quickly view thumbnails of these pictures so that you can visually scan a great number of attached pictures and quickly delete the ones you want gone?

        Thanks !!


        • #5
          1 - Well that would be the idea but taking a look at the code reveals that it might not be working right in that regard so I am going to fix it right now.

          2 - Unfortunately, no but a nice idea for a feature request.


          • #6
            Originally posted by Freddie
            ...I am going to fix it right now.
            Cool! Thank you!! That's pretty important to me. Also, will that new code go into gamma download or will we have to wait for an RC1 release?

            2 - Unfortunately, no but a nice idea for a feature request.
            Okay. But you're at least able to view attachments one at a time by clicking on them from a list inside the admin attachment manager?


            • #7
              1 - RC1 and I just finished it.
              2 - Yes.