6 Replies Latest reply on Oct 13, 2009 9:50 AM by wfindlay

    How does security work for uploaded images?

      1. Do image files inherit the security of the location where they were uploaded? Or, once uploaded to SBS 3.0 can an image be embedded anywhere within SBS?

       

      2. In other words, if I upload an image while editing a document in a private group/associate only group, will it show up if I embed the same image in a public group?

       

      3. Another scenario:

       

      Say I am a member of PrivateGroup1 and PublicGroup1.

      I upload an image while in PrivateGroup1.

      Then in PublicGroup1 I embed that same exact image (using the copied URL).

      I know I can see the image in both PrivateGroup1 PublicGroup1, but maybe that is because I am a member of PrivateGroup1 and PublicGroup1.

      Fred is not a member of PrivateGroup1, but is a member of PublicGroup1. Can Fred see the image in PublicGroup1?

       

      The reason I ask is because we are trying to decide where to put an image library for a group (basically an SBS document containing uploaded images) and we weren't sure if it mattered where they were first uploaded. We are using an "image library" because when you customize a group homepage using the Formatted Text widget, there isn't the option to upload images:

       

      noUploadImage2.png

       

      So what we are doing is uploading the images to a document, and then reusing their URLs in this dialog.

        • Re: How does security work for uploaded images?

          If you post a document to a private space, and insert images into the document, you'll still be able to link to those images in a public space (e.g. in a formatted text widget).

          • Re: How does security work for uploaded images?

            Hi Will,

             

            If you upload an image into a private Group or Space then only people who have read access to that Group or Space will be able to see the embedded image. Users who do not have access to the document containing the image will not see the image if it is referenced from content, or a widget, that they do have access to.

             

            Regarding URL stability, the structure of image urls are generally pretty stable from release to release if you upload the images as binary files or attach them to other content (however, we could change it in the future). However, the urls can change if you upload a new version of the file or update the content (so that a new version is created), so be careful with those kinds of operations.

             

            Hope that helps,

            Greg

            1 person found this helpful
              • Re: How does security work for uploaded images?
                Ok, I'm a little confused here because it sounds to me like two contradicting answers here:

                Rick Palmer (Jive) said: If you post a document to a private space, and insert images into the document, you'll still be able to link to those images in a public space (e.g. in a formatted text widget).

                but then Greg said:

                If you upload an image into a private Group or Space then only people who have read access to that Group or Space will be able to see the embedded image. Users who do not have access to the document containing the image will not see the image if it is referenced from content, or a widget, that they do have access to.

                 


                Maybe a simpler way to ask is, when a URL is created for an image, can that URL be used by anyone, or will the URL only display for people who had rights to the place it was originally created?
                  • Re: How does security work for uploaded images?

                    Hi Will,

                    wfindlay wrote:

                    Maybe a simpler way to ask is, when a URL is created for an image, can that URL be used by anyone, or will the URL only display for people who had rights to the place it was originally created?

                    The resource at the URL will only display for people who have rights to the place that the resource is contained in, otherwise there would be a security hole. For example, if you insert or attach an image to a document in a Group that only you have access to then no one else (except certain administrators) will be able to see that image, even if they have the direct URL that refers to that image. I have double-checked this behavior in the code for Jive SBS.

                      • Re: How does security work for uploaded images?


                        As a test, can you see this image?

                         

                        https://www.ucern.com/servlet/JiveServlet/downloadImage/16192/263-196/00000008.png

                        Try right-clicking and opening it in a new tab or window.

                        This was uploaded in a secret group in our installation of SBS.

                         

                        [Never mind on this - I forgot that it would first require you to authenticate to our entire website -- I'll have to test locally]

                         

                        Message was edited by: Will Findlay - testing won't work outside people who have access to our domain.