? Pending

User tests: Successful: Unsuccessful:

avatar n9iels
n9iels
13 Jan 2017

Pull Request for Issue #13399

Summary of Changes

  • Home directory is now created by userid instead of username
  • Home directory is created directly in the /images folder instead of /images/images

The old behaviour was that a new folder was created by username on the location /images/images/username. The problem with this behaviour is that if the username contains special characters (ü, é, etc.) the folder is created with this characters. Since a url does not support this characters this behaviour is wrong. Also Joomla! media manager is not able to reach folders with this kind of names.

Using the userid instead of the username makes sure that the folder name is always valid.

Testing Instructions

  1. Go to Content -> Fields and create a custom field of the type "Media"
  2. Set the parameter "Home Directory" on Yes
  3. Create a new article and upload a file with the custom field
  4. Confirm your file is uploaded at and available at /images/<userid>
  5. Change the parameter "Directory" to another path and confirm the file upload is correct
avatar n9iels n9iels - open - 13 Jan 2017
avatar n9iels n9iels - change - 13 Jan 2017
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 13 Jan 2017
Category Modules Front End Plugins
avatar n9iels n9iels - change - 13 Jan 2017
The description was changed
avatar n9iels n9iels - edited - 13 Jan 2017
avatar n9iels n9iels - edited - 13 Jan 2017
avatar n9iels n9iels - edited - 13 Jan 2017
avatar n9iels n9iels - change - 13 Jan 2017
The description was changed
avatar n9iels n9iels - edited - 13 Jan 2017
avatar laoneo
laoneo - comment - 13 Jan 2017

Guess it contains code from another pr ? too?

avatar n9iels n9iels - change - 13 Jan 2017
Title
Use id instead of username; create folder directly in images
[com_fields] Create media home directory on user_id
Labels Added: ?
avatar n9iels
n9iels - comment - 13 Jan 2017

oops...

avatar joomla-cms-bot joomla-cms-bot - change - 13 Jan 2017
Category Modules Front End Plugins Front End Plugins
avatar zero-24
zero-24 - comment - 13 Jan 2017

Hmm would this not mean that we change the title of the folder to an id which no one can understand?

avatar n9iels
n9iels - comment - 13 Jan 2017

Yes. But if the username is changed the files of that user are lost and the user can't access his/her files. Unless the folder name is also changed offcors..

avatar mbabker
mbabker - comment - 13 Jan 2017

Unless the folder name is also changed offcors

Bad idea unless you're also going to fix all of the content referencing that file path. ID is more consistent, what is the issue with using it?

avatar n9iels
n9iels - comment - 13 Jan 2017

@mbabker good point. Except what @zero-24 says, I don't see issues with using id's instead of usernames

avatar Bakual
Bakual - comment - 13 Jan 2017

Isn't that feature already possible with the regular mediafield (eg in articles)? Not sure but I think I remember seeing something like that once.
If so, then it has to behave the same in the custom field.

avatar laoneo
laoneo - comment - 14 Jan 2017

I'm more of a fan of username, with id's you can guess the next user folder too easy. But there is a third alternative, adding an option to the field which scheme should be used to create the folder, ID or username. Just an idea.

avatar freshweb
freshweb - comment - 15 Jan 2017

I have tested this item successfully on 6844fa5

Joomla! 3.7.0-alpha2 dev


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/13582.

avatar freshweb freshweb - test_item - 15 Jan 2017 - Tested successfully
avatar n9iels
n9iels - comment - 15 Jan 2017

What is the problem with guessing the user ID? Images folder is always public.

Making it a option might be a good idea. But than you still have a possible break when you like to change a username

avatar laoneo
laoneo - comment - 15 Jan 2017

Yes but at least, the user has decided to use that scheme.

avatar coolcat-creations
coolcat-creations - comment - 5 Feb 2017

test successful but i fear security issues as you can read out then the userid if you access images/42 or images/73 whatever. So username and userid are not good solutions.

cc @SniperSister


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/13582.

avatar coolcat-creations
coolcat-creations - comment - 5 Feb 2017

I have tested this item successfully on 6844fa5

! please see my comment !


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/13582.

avatar coolcat-creations coolcat-creations - test_item - 5 Feb 2017 - Tested successfully
avatar n9iels
n9iels - comment - 6 Feb 2017

@coolcat-creations Google is also allowed to look in that folder. Also if you have some secrets to hide, you don't hide them in a random folder. So I don't think it is a security leak. Because secure image should not be saved in a publicly accessible area / folder

avatar SniperSister
SniperSister - comment - 6 Feb 2017

@n9iels the security issue is not related to the fact that one can guess image paths but the fact that one can systematically crawl through those directory and get a list of user IDs with this. These user IDs can be used for other attacks using attack vectors like SQL injections.

avatar coolcat-creations
coolcat-creations - comment - 6 Feb 2017

There is btw a PR to remove the Home Option at all #13893

avatar fastslack
fastslack - comment - 7 Feb 2017

@SniperSister why not mapping the id and some uniqid() value into database?

avatar SniperSister
SniperSister - comment - 7 Feb 2017

That's a possible solution, even though I don't like the idea of an extra database call that might be necessary in some situation if only the user id is available.

avatar yvesh
yvesh - comment - 7 Feb 2017

Hmm hashing the userid even with salt does not make much sense either.. (Hashed) Usernames can be changed and even as we have plugin events for these, it's not nice updating folders.

So maybe an uuid in the users table is the most efficient way to go.. This could be helpful for a lot of places where we currently use the user id publicly (com_contacts etc.)

JFactory::getUser()->uuid, JFactory::getUser($uuid)

As always any solution has ups and downs..

avatar laoneo
laoneo - comment - 8 Feb 2017

There is another discussion going on #13878. Perhaps we should remove that option as in PR #13893. More and more I have the impression that confuses people more than it helps.

avatar zero-24
zero-24 - comment - 23 Feb 2017

Closing as the feature is removed from the core now :)

avatar zero-24 zero-24 - change - 23 Feb 2017
Status Pending Closed
Closed_Date 0000-00-00 00:00:00 2017-02-23 13:15:54
Closed_By zero-24
avatar zero-24 zero-24 - close - 23 Feb 2017

Add a Comment

Login with GitHub to post a comment