Project

General

Profile

Actions

Bug #1239

closed

silly to let anyone download anything if they know where it is

Added by Anchi Cheng almost 14 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Amber Herold
Category:
Web interface
Target version:
Start date:
03/11/2011
Due date:
% Done:

0%

Estimated time:
Affected Version:
Appion/Leginon 2.1.0
Show in known bugs:
No
Workaround:
Actions #1

Updated by Anchi Cheng almost 14 years ago

  • Assignee changed from Anchi Cheng to Eric Hou

r15504 fix this

Actions #2

Updated by Eric Hou almost 14 years ago

  • Status changed from New to In Code Review
Actions #3

Updated by Eric Hou almost 14 years ago

Hi Anchi!
From what I see from code means we are allow login user to download file except "config.*" and "dbemauth.*" files. (correct me if I am wrong).

Couple passable problems:
First, what happen if user does not use myami login system?
Second, what happen if user is login, but did not pass the privilege check?

I think you might need a return "false" at the end of the "checkExptAccessPrivilege" function.
So if the function return false, the download.php need to exit out or display message to user. Because right now it will still generate the file even through the function did not return true.

Thanks.

Actions #4

Updated by Eric Hou almost 14 years ago

  • Status changed from In Code Review to Assigned
  • Assignee changed from Eric Hou to Anchi Cheng
Actions #5

Updated by Anchi Cheng almost 14 years ago

  • Status changed from Assigned to In Code Review
  • Assignee changed from Anchi Cheng to Eric Hou

"checkExptAccessPrivilege" contains redirct either to login.php or accessdeny.php in all cases when the function is meant to return false so in effect it does not go back to the called script at all. If logged in, it goes to accessdeny.php. If not logged in, it goes to login.php It will only return to the called script if the preivilege check is passed by both criteria.

Because I don't want anyone, even those with expt access privilege (including the case when login is not enabled) to download critical files or files from other sessions, in the case of logged-in user. They are checked again after the preivilege. This is at the file level not the database level.

Actions #6

Updated by Eric Hou almost 14 years ago

  • Status changed from In Code Review to Assigned
  • Assignee changed from Eric Hou to Anchi Cheng

Hi Anchi,
Thank you for your explain.
So in download.php line 8
You can do:

if(!checkExptAccessPrivilege($sessionId,'data')) exit;

That should be take care all the problem. (Because when you redirect to other script, the original script will still keep running in the back).

Thanks.
Eric

Actions #7

Updated by Eric Hou almost 14 years ago

beside the comment I wrote before. The other way is

in function checkExptAccessPrivilege, instead of return false, use exit. Than you don't need to change lots of file calling this function.

Thanks.

Eric

Actions #8

Updated by Anchi Cheng almost 14 years ago

  • Status changed from Assigned to In Code Review
  • Assignee changed from Anchi Cheng to Eric Hou

r15507 did the exit in login.inc

Actions #9

Updated by Eric Hou almost 14 years ago

  • Status changed from In Code Review to In Test
  • Assignee changed from Eric Hou to Amber Herold
Actions #10

Updated by Amber Herold over 13 years ago

  • Status changed from In Test to Closed
Actions

Also available in: Atom PDF