cover photo

neue medienordnung plus

nmoplus@hub.tschlotfeldt.de

Token for channel A make accesible not public webpage from channel B

  last edited: Tue, 14 Nov 2017 08:59:07 +0100  
  • I created webpage WPB http://dummy.org/page/wpb on channel B with [observer=1/0] protected content
  • I created Token TCA for channel A zat=tca
  • I open webpage WPB with token for channel A
  • I see protected content in webpage WPB
Hubzilla version 2.8.1

@Mike M. closed the issue https://github.com/redmatrix/hubzilla/issues/909 , but I mean, that is one bug, that Hubzilla display protected content in webpage WPB for visitor with Token TCA, that is legal for channel A. Because I created one token for access to channel A, not to channel B.

Similar to Login on Hubs:
  • one valid Login on hub https://gerzilla.de/ be no permission for login on hub https://macgirvin.com/
  • I anticipate, that one valid token for https://gerzilla.de/channel/nmoplus be no permission for https://gerzilla.de/channel/wallzilla
I mean, The actuelle behavior of token solution is a danger for channel security:
malicious user from channel https://gerzilla.de/channel/A can make one token TCB and get an access to token protected content on channel https://gerzilla.de/channel/B

Token managament is located by channel owner A. This fact suggested, that the token from channel A is valide for channel A. I mean, that one average user assume, that the tokenized access to content protected their content. What mean you? Please vote pro or contra of this statement:

Token for channel A give no permission to access to via token accessible content from channel B

#tokenmanagement #token @Hubzilla Support Forum+ @Hubzilla Development+
  
Well, if I'm logged in I see the Loremipsum stuff and my name in the text. If I'm logged out I can only see the headline but not the content. If I put the '&zat=topsecret' at the end of the URL I can see the content but instead of my name it shows "Dear Guest/LieberGast".
Looks reasonable to me.
  
OK, is my fallacy. And for advanced serverside access control at the paragraph level need hubzilla developer such tools how AJAX with ACL Support - right?
  
And for advanced serverside access control at the paragraph level need hubzilla developer such tools how AJAX with ACL Support - right?


It needs a whole lot more than that. You're welcome to give it a go.
changing ACL for tokenized content

  last edited: Tue, 14 Nov 2017 08:08:26 +0100  
  • I created webpage WPB http://dummy.org/page/wpb on channel B with [observer=1/0] protected content
  • WPB contains image ImA, that be accesible only for selected vistor
  • I allowed visibility for ImA for token TImA
  • but image ImA is not visible for token TImA
  •   image ImA be visible for token TImA, if I upload/include image ImA after change of ACL for image ImA
Is this beahavior a bug or a feature? I anticipate, that image ImA be visible for token TImA without new upload image ImA after allowing visibility for ImA for token TImA.

#tokenized #tokenizedcontent #protectedcontent #visibility @Hubzilla Development+ @Hubzilla Support Forum+
  
Right, you need two folders, one for restricted files and one for public files.

ImageB must be under a restricted folder in Files, e.g. Restricted Files, while ImageA is in a public folder in Files, e.g Public Files.

Add the ZAT for OnlyYouAreWelcome to Restricted Files.

Add the ZAT-link to ImageB to the webpage.

I may have got this wrong.
  
I assume, that with your solution I must all webpages, where include Restricted Objects also declare to Restricted Webpages. Otherwise see other authenticated user without access to image logo.png this message:

Image/photo
  
Well, as described just those with the ZAT-link are allowed in, but you can add other people to the Restricted Files folder. I am going to a meeting now, so good luck! :-)