Should the /admin/resources/assetthumbs/{assetid}/200 be accessible without being logged in?
I’ve just noticed I can access thumbnails that way, and with some fiddling even let it generate huge images for me
This is on v2.6.3002.
Asked
Active
Viewed 64 times
1
Brad Bell
- 67,440
- 6
- 73
- 143
Koen Rijpstra
- 113
- 4
-
Is this on a local setup or live site? Any other details you could give us? What do your permissions look like? – Dan Zuzevich Jan 26 '18 at 16:49
-
Local and live. This isn't permission related and affects all Craft 2 sites see answer below from Brad Bell. – Koen Rijpstra Jan 29 '18 at 12:35
1 Answers
1
In Craft 2, this is expected behavior.
In Craft 3, we "fixed" it by using an Asset's UID instead of its ID, which makes it harder to guess.
Brad Bell
- 67,440
- 6
- 73
- 143
-
So in Craft 2 it is possible to see al the uploaded images without logging in and scale them to any size even so big PHP runs out of memory. This seems like a serious issue to me.
Why doesn't Craft check if the user is logged in to the admin?
– Koen Rijpstra Jan 29 '18 at 11:35 -
1For the next release asset thumbnails will only be generated on Control Panel requests by logged in users. Going to go ahead and vote to close this as a bug. – Brad Bell Jan 29 '18 at 22:23