Critical security hole about download file

Add asset to shared folder, set “original not downloadable”, re-login as restricted user (no groups), go to folder, select asset, go to details, select ftp or mail and you may select original and mail or upload it.

restricted user can download origianl file! how could i solve it?

i want to restricted user can only see preview of asset.

restricted user should’t download the file. BUT if restricted user click the send via email and copy the url of file-download he could achieve the original file. how can i restrict it?

Hi minchanSim ,

You can go to Folder Sharing & Settings of the folder where you want to set the permission for the assets. Go to Sharing Option tag , Then set the permission is No for Allow download of Original Asset.

Hope this helps.

Thanks

I set the Sharing Option like you said.
i already set the permission No for Allow download of Original Asset

  1. when i click the download image

  2. it works.(restrict the download)

  3. when i click the send via mail(restrict user can see it!!!)
    <img src=“//discourse-upload-backup.s3.amazonaws.com/original/1X/ee650e39068ee2f2b98375bce435bf1dcf6af288.png” width=“143” height=“243”

  4. razuna gives me URL that could download original file.

  5. if restrict user copy &paste the url to browser, he can download the original file

** i want to restrict the original-file perfectly from restrict user.
what shold i do?

thanks for your attention.

Thanks for this information , We will check it as soon as possible.