Resources do not require authentication

I just noticed that one can access resources, using a link, without needing to authenticate.

Steps to confirm:

1) In Gibbon, find a resource and click on the link to open it (such as a PDF file).

2) Copy the URL and paste it into a browser that is not authenticated for Gibbon.

3) The PDF file will be displayed without any awkward questions being asked.

Expected behaviour: Gibbon should redirect to a login prompt of some sort.

Comments

  • The same goes for files connected to lesson plans.
  • Hi fvlasie,

    Gibbon obfuscates the URLs for resources by adding a random hash to the url, much in the same way other systems like Google generate 'private' urls that can still be shared. I would guess this behavior is necessary as some parts of the system allow public access to pages that can have resources in them, including Departments and Units. It is still important to ensure your system is configured with security in mind and does not allow directory-level indexing of the file system.

    As a system admin though you can take certain steps to restrict all access to the uploads folder. For example, I use a variation of the following mod_rewrite code in the /uploads folder .htaccess file (Apache) to prevent access to particular filetypes:
    RewriteEngine on
    RewriteCond %{HTTP_REFERER} !^https://gibbon\.your-domain\.com.*$ [NC]
    RewriteRule .*\.(wav|swf|jpg|jpeg|gif|png|bmp|pdf)$ - [F,NC,L]
    Hope this helps!
  • Very clever!

    Yes I can use that.

    Thank you Sandra!
  • Hi @sandra ,

    It this something that you feel could usefully be implemented into the core? What are the up and downsides? The installer could insert the domain name into it...

    Hi @fvlasie,

    As per the Post Install & Server Config documents (scroll to the second last section of the page), it is important that you also turn off folder browsing on your web server, to prevent people peeking into /uploads via their browser.

    Thanks,

    Ross
Sign In or Register to comment.