Link to a submitted file from UDF submission doesn't use session grant

Question

Link to a submitted file from UDF submission doesn't use session grant

Closed this issue a year ago · 5 comments

Existing submissions with uploaded files can be viewed in the CMS and a download link is presented.
The file URL is correct, but when followed, the system returns 404, even when logged into the CMS and being a CMS admin.
If the same file is viewed from the assets admin first, it can then be also accessed from the submission detail, assuming it now has session granted access. Logging off and on again replicates the issue.

Could be related to https://github.com/silverstripe/silverstripe-userforms/blob/6/code/Model/Submission/SubmittedFileField.php#L42 but it's hard to say whether it should force the grant or not in that particular place as that could have other implications, potentially exposing the file to other CMS users when it shouldn't, so it may need further investigation what is the best way to make sure that viewing the form submission provides the right level of access to files.

At the same time, seeing it runs through the 'has link' and 'file can view' checks and returns the download link, it might be sensible to session grant access at that point.

Reproduction steps:

(try this with and without subsites)

set up a UDF with a single form field and publish it
submit a front-end submission with a file using an incognito browser window
navigate directly to the Submissions tab of the UDF and display the submission detail
click on the Download link
observe 404
navigate to the assets folder where the submissions are stored and view the file there
repeat steps 4 and 5
observe file showing correctly
log out and log back in
repeat steps 4 and 5
observe 404 again

Acceptance criteria

If the user viewing the user form submission has access to the submitted file, they should be able to download it.
If the user viewing the user form submission does not have access to the submitted file, they should not be able to download it.

Answer 1 · 2023-08-15T12:25:04.000Z

It is possible that this issue is only related to a site with subsites, where the form is submitted on a different domain to the domain the submission is viewed on while accessing the CMS on the main domain for the whole CMS.

Answer 2 · 2023-08-31T22:17:50.000Z

I'm unable to replicate in the latest versions running recipe/kitchen-sink 4.13 or 5.0 with or without using a UDF / folder created in the subsite trying to view the UDF submission with the default "Content Authors" set to view and edit the folder the UDF submission are uploaded to. Also tried using just the main site instead of a subsite.

What versions are you running?

Answer 3 · 2023-09-04T22:22:08.000Z

I'll have another look trying to replicate using kitchen sink and provide better replication steps (and see if this might be due to some code customisations or not). Thanks for the time spent on checking this issue so far, @emteknetnz.

Answer 4 · 2023-09-20T22:24:53.000Z

@michalkleiner were you able to replicate this in the kitchen sink?

Answer 5 · 2023-09-27T01:07:32.000Z

I'll close this issue for now - feel free to reopen it if you're able to re-replicate