Hi !

I'm currently using the version of Yafnet and I was wondering if what I found is a bug.

Currently on our yafnet, we can access every attachment of the forum with the url even if we aren't supposed to have access. For example : I give an url to an attachment to a user that doesn't have access to the message(topic) that contains the attachment and that user can download the attachment.

I looked a little bit into the code and there are no validation to check that the user has access to the attachment or to check that it has access to at least the parent message(topic). Is that normal ? If not, is this bug been fixed into the newer versions of Yafnet ?

Thanks !
  •  Mek
  • 100% (Exalted)
  • YAF Developer
Yup that was a bug; fixed on newer versions; just can't remember which exact version it was fixed in.


"It's a case of RTFM.. the only problem being we don't have a manual!"

When I post FP:Mek in a topic, I'm leaving my footprint there so I can track it once I get into coding/supporting. (Yes I stole this off Ederon 🙂 )

About Us

The YAF.NET is an open source .NET forum project. YAF.NET is supported by an team of international developers who are build community by building community software.

Powered by Resharper Donate with PayPal button

Project Twitter Updates

Copyright © YetAnotherForum.NET & Ingo Herbote. All rights reserved