You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
/restricted has defined that only user1 can access the page
user1 can access /restricted
if user2 tries to access /restricted, they will see the contents of unauthorized.md(as expected)
if user2 tries to access media files, e.g. /restricted/media.jpg, they can see them (undesirable)
Note: if a guest user tries to access /resticted/media.jpg, they will be redirected to a login page as expected.
So any user with site access will be able to access media files of a protected page, regardless of that protected page excluding certain users based on a group e.g. whether they have paid.
Did a quick fix locally by doing a 302 redirect if the uri extension is a media type, near the end of setUnauthorizedPage()
This actually turned out to be a bigger problem. You can't redirect non-HTML requests to HTML pages, so moved this up into authorizePage() and simply throw an 403 error if unauthorized.
Hi there,
Came across some undesirable behaviour in a certain scenario with the following config:
Scenario
user1
&user2
both have site access/restricted
has defined that onlyuser1
can access the pageuser1
can access/restricted
user2
tries to access/restricted
, they will see the contents ofunauthorized.md
(as expected)user2
tries to access media files, e.g./restricted/media.jpg
, they can see them (undesirable)So any user with site access will be able to access media files of a protected page, regardless of that protected page excluding certain users based on a group e.g. whether they have paid.
Did a quick fix locally by doing a 302 redirect if the uri extension is a media type, near the end of
setUnauthorizedPage()
grav-plugin-login/login.php
Lines 415 to 434 in 3f9560a
Wanted to see whether there was a better way of doing this?
The text was updated successfully, but these errors were encountered: