Forum

ToP

Hello,

I use AjaXplorer 4.0 (great work!).

I have disabled guest browsing in core.auth. (I don't want any kind of guest browsing).
In data/plugins/conf.serial/plugins_configs.ser is ALLOW_GUEST_BROWSING=""
(ALLOW_GUEST_BROWSING";s:0:"";)

Then I share a folder and choose "Create a temporary user" and enter the user name "guest" and a password.

After this, everyone can login with the user "guest" and ANY password or WITHOUT a password and access the shared folder.

Also the user "guest" is not visible on the "Shared Users" screen and not associated to the repository on the "Shared Repositories" screen.

The user guest is created in the "data/plugins/auth.serial/users.ser" and the folder "data/plugins/auth.serial/guest"

The user name "guest" should act like any other user name, if ALLOW_GUEST_BROWSING is disabled, shouldn't it?

My users doesn't know anything about this special behaviour of the user name "guest" and could accidentally open a private folder for the whole world, so it may be security problem.

Any hints how to change this?

Thanks for help!

charles

Hi
Thanks for reporting, very interesting problem indeed! I'll check how to fix it easily, but I think the quick fix will be more on the "forbidding guest user" side.
Charles

charles

Hi
I've commited a fix for this, can you retest? (make sure the guest user is totally removed, by editing the user.ser file in data/plugins/auth.serial)
Grab the latest version of the two following files on the SVN : http://ajaxplorer.svn.sourceforge.net/viewvc/ajaxplorer/trunk/core/src/
Files :
+ core/classes/class.AuthService.php
+ plugins/action.share/class.ShareCenter.php

Will be in the next bugfix release anyway

Charles

ToP

Hi Charles,

thanks for the real quick fix :-)
It works, I can't create the user "guest" any more (User exists).
Perfect!

Happy Xmas!
Theo

charles

should be fixed in 4.0.1

Forum

WTF?

Howdy, Stranger!

Categories

Tagged