Hello list, Currently, user avatars, background images and file attachments are returned by the web server without checking whether the requester is a logged-in user. This is fine for a public site, but may be problematic for a private site.
I have a branch (0.8.x-get-private-file) in my Gitorious repo (git://gitorious.org/~jeff-themovie/statusnet/jeff-themovie-clone.git) that I think addresses this issue for file attachments. (I don't think avatar or background images are sensitive enough to require protecting.) I'd appreciate it if more people (like you? :-) ) can try this out before I submit it to the project. All comments and suggestions are welcomed. This adds a new action (GetfileAction) whose role is to return a given file attachment. I've also added a mod_rewrite rule to htaccess.sample to redirect requests for file/* to getfile/*. So when the browser requests the file, the request is redirected to the get file action, which (because of the private site setting) causes the user to be authenticated before allowing the file to be downloaded. The only hiccup I can see is that, if the user isn't logged in when he/she requests the file, after logging in and being redirected to the file, the URL becomes /getfile/* instead of the original URL. Any thoughts on how to avoid this would be great. Thanks a bunch! Jeff _______________________________________________ StatusNet-dev mailing list StatusNet-dev@lists.status.net http://lists.status.net/mailman/listinfo/statusnet-dev
