Token for channel A make accesible not public webpage from channel B

neue medienordnung plus
  last edited: Tue, 14 Nov 2017 08:59:07 +0100  
  • I created webpage WPB http://dummy.org/page/wpb on channel B with [observer=1/0] protected content
  • I created Token TCA for channel A zat=tca
  • I open webpage WPB with token for channel A
  • I see protected content in webpage WPB
Hubzilla version 2.8.1

@Mike M. closed the issue https://github.com/redmatrix/hubzilla/issues/909 , but I mean, that is one bug, that Hubzilla display protected content in webpage WPB for visitor with Token TCA, that is legal for channel A. Because I created one token for access to channel A, not to channel B.

Similar to Login on Hubs:
  • one valid Login on hub https://hub.freecommunication.org/ be no permission for login on hub https://macgirvin.com/
  • I anticipate, that one valid token for https://hub.freecommunication.org/channel/nmoplus be no permission for https://hub.freecommunication.org/channel/wallzilla
I mean, The actuelle behavior of token solution is a danger for channel security:
malicious user from channel https://hub.freecommunication.org/channel/A can make one token TCB and get an access to token protected content on channel https://hub.freecommunication.org/channel/B

Token managament is located by channel owner A. This fact suggested, that the token from channel A is valide for channel A. I mean, that one average user assume, that the tokenized access to content protected their content. What mean you? Please vote pro or contra of this statement:

Token for channel A give no permission to access to via token accessible content from channel B

#tokenmanagement #token @Hubzilla Support Forum+ @Hubzilla Development+
Steffen K9 🐙
  
Well, if I'm logged in I see the Loremipsum stuff and my name in the text. If I'm logged out I can only see the headline but not the content. If I put the '&zat=topsecret' at the end of the URL I can see the content but instead of my name it shows "Dear Guest/LieberGast".
Looks reasonable to me.
neue medienordnung plus
  
OK, is my fallacy. And for advanced serverside access control at the paragraph level need hubzilla developer such tools how AJAX with ACL Support - right?
Mike Macgirvin
  
And for advanced serverside access control at the paragraph level need hubzilla developer such tools how AJAX with ACL Support - right?


It needs a whole lot more than that. You're welcome to give it a go.
changing ACL for tokenized content

neue medienordnung plus
  last edited: Tue, 14 Nov 2017 08:08:26 +0100  
  • I created webpage WPB http://dummy.org/page/wpb on channel B with [observer=1/0] protected content
  • WPB contains image ImA, that be accesible only for selected vistor
  • I allowed visibility for ImA for token TImA
  • but image ImA is not visible for token TImA
  •   image ImA be visible for token TImA, if I upload/include image ImA after change of ACL for image ImA
Is this beahavior a bug or a feature? I anticipate, that image ImA be visible for token TImA without new upload image ImA after allowing visibility for ImA for token TImA.

#tokenized #tokenizedcontent #protectedcontent #visibility @Hubzilla Development+ @Hubzilla Support Forum+
Haakon Meland Eriksen (Parlementum)
  
Right, you need two folders, one for restricted files and one for public files.

ImageB must be under a restricted folder in Files, e.g. Restricted Files, while ImageA is in a public folder in Files, e.g Public Files.

Add the ZAT for OnlyYouAreWelcome to Restricted Files.

Add the ZAT-link to ImageB to the webpage.

I may have got this wrong.
neue medienordnung plus
  
I assume, that with your solution I must all webpages, where include Restricted Objects also declare to Restricted Webpages. Otherwise see other authenticated user without access to image logo.png this message:

Image/photo
Haakon Meland Eriksen (Parlementum)
  
Well, as described just those with the ZAT-link are allowed in, but you can add other people to the Restricted Files folder. I am going to a meeting now, so good luck! :-)