kneekoo wrote:Regarding the security of the project files it's more than black and white. Sure, some people don't understand the importance of setting Options -Indexes on a web server (regardless if dev/prod), some might not know how to use chmod, chown and mod_access to their advantage, or that Collabtive renames the uploaded files, but the fact is Collabtive offers direct links to the files, so anyone with access can copy/paste these links and unauthenticated people can hotlink/access them freely.
I would agree that there is a problem here. Not all users will have the expertise to be able to add these things to make access to their files more secure. Maybe providing .httaccess file by default, and maybe blank index.html files in the files directory. Adding index.html would stop people from getting a list of directories and files, from users who have indexing turned on, on their website.
But I would say .htaccess is unnecessary since collabtive renames the uploaded files, and this makes it hard to guess the file names. But this is defeated by collabtive providing a direct link to the files.
kneekoo wrote:The least we should have in Collabtive is a special php file that offers access to the project files based on credentials - something like getProjectFile.php?id=123
I have provided modifications to add authentication to file downloads, this can be found here viewtopic.php?p=13055#p13055
. It provides links as so managefile.php?action=download&id=1&file=2.
With my modifications collabtive does not provide direct links, but I am aware that it is a bit useless as it provides the full file names, along with the appended characters. So for some users it could be quite easy to guess the direct location, even though a direct link is not provided.
In the following days I will update my method to include a fix for the above mentioned problem. I will have it provide the original file name. I also have some other small changes, and I will also provide all the modified files, to make it easier to apply my modifications.