Make FAQ & Pages Attachments Viewable
Commit c4579277 introduced an extra administrative security feature to restrict files access to signed in users only, even if a user has a valid & signed download URL. The feature, however, did not take into account public images & files associated with FAQs and pages such as landing/thank-you pages. This commit addresses the shortcoming by adding a reference ID (attachment ID) to the download/access URL, that can be used to deduce the model/object type that the file request is associated with. The technique will allow us in the future to enforce ACL at the file level depending on privacy settings and the security clearance of the user (agent).
Showing
- file.php 25 additions, 12 deletionsfile.php
- include/ajax.draft.php 9 additions, 6 deletionsinclude/ajax.draft.php
- include/class.category.php 3 additions, 1 deletioninclude/class.category.php
- include/class.faq.php 3 additions, 2 deletionsinclude/class.faq.php
- include/class.file.php 23 additions, 14 deletionsinclude/class.file.php
- include/class.format.php 6 additions, 3 deletionsinclude/class.format.php
- include/class.forms.php 6 additions, 4 deletionsinclude/class.forms.php
- include/class.page.php 1 addition, 1 deletioninclude/class.page.php
- include/client/faq.inc.php 2 additions, 1 deletioninclude/client/faq.inc.php
- include/client/templates/thread-entry.tmpl.php 2 additions, 1 deletioninclude/client/templates/thread-entry.tmpl.php
- include/client/view.inc.php 1 addition, 1 deletioninclude/client/view.inc.php
- include/staff/faq-view.inc.php 2 additions, 1 deletioninclude/staff/faq-view.inc.php
- include/staff/templates/thread-entries.tmpl.php 2 additions, 1 deletioninclude/staff/templates/thread-entries.tmpl.php
- include/staff/templates/thread-entry.tmpl.php 2 additions, 1 deletioninclude/staff/templates/thread-entry.tmpl.php
- open.php 2 additions, 1 deletionopen.php
Loading
Please register or sign in to comment