There is a bug in the current permission system that allows everyone to see the existence of all media on your site no matter what privileges you set. If you remove all permissions to Everyone and Registered Users, Anonymous and Registered Users are able to see the existence of all media items. If they don't have access they won't be able to click on an object and get to the view page, but they can see the object.
In the post Re: Locking down the site he talks about the Aggregate Behavior tab, but those flags are for something entirely different and do not at all provide a work-around for this issue and in fact any user can bypass what this flag does. As it stands it is not possible to lock down any CS 2008 site as the existence of all media is visible to everyone.
WGB Enterprises - Freelance Community Server and other DevelopmentopenSourceC.org
Well, Rob Nash appears to have found the bug in CommunityServerComponents20/Sections.cs line 252 which reads:
else if (query.Permission != Permission.View && !query.IgnorePermissions)
What this ends up doing is allowing a query permission of View to ignore permissions for the section. By changing the above line to:
else if (!query.IgnorePermissions)
The use must have the View permission to see the existence of any items within the section. This also means that it affects more than just galleries, it affects blogs and forums too, as they also call this same static method.
So is there any plan to fix this in a release version?
This is fixed in CS2008.5 beta and so should be included in the final release.
Community Server Documentation please rate articles you read
Nintendo Wiikly | My Blog
Copyright© 2008 Telligent Systems Inc. All rights reserved CommunityServer.com • Telligent.com