Connect Advisory Board Group

Good day Admins

I have unpublished a user's post this morning:

https://www-secure.symantec.com/connect/forums/migrating-netbackup-new-server#comment-8064421

The post contained information from a private Symantec Consulting document that clearly states:

Copyright © 2008, Symantec Corporation (Symantec). All rights reserved. This document may not be copied or further distributed, in whole or in part, without written permission from Symantec. 

Although the post has been unpublished, the attachment can still be accessed publicly:

https://www-secure.symantec.com/connect/sites/default/files/NBU_6x_Master_Migration_Rename_HotCat.pdf 

Surely the post along with any attachment should be blocked?

Thanks for the catch Marianne. (Both the post and noticing the attachment is still accessible.) I have deleted the attachment by editing the comment and deleting the file attachment. You're right to think it would be intuitive that the file would be accessible if someone were subscribed to the thread and the link was in the notification. However, I will enter a ticket into the system to see about remedying this situation.

Thanks again for the catch.

Is this causing a lot of problems?

When a user attaches a file to their post, it is uploaded to the web server where it is (by design) publically accessible.

When the post is found to be inappropriate and is deleted, the associated files are automaticaly deleted.

I'm just thinking changing this behavior will likely involve some significant code changes and probably new moderation rules and responsibilities.

Unpublishing content hides the post (and any links to attachments) until someone is able to evaluate the situation and (if necessary) delete the problematic post. You're right, that during this "evaluation" period, the attached files can be accessed if you can guess the URL where they are located.

Kevin

Hi Leslie 

I actually meant for BOTH the post and the attachment to be unpublished.

The body of the post is a copy & paste from the pdf that is not meant for public posting. It is a private Symantec Consulting document that Nagalla was never meant to have.

Hi Kevin

I experienced the following some time ago: 

I posted a document under Downloads, followed by a post on the forum with a link to the post under Downloads.

Shortly after that, a user replied that he could not access the URL.

A fellow partner responded that he could access the post and included the direct link to the pdf.

Looking at the Downloads post again, I realized that I accidently marked the post as Private - for Partners only. 

Now what if I really meant the post and download to only be accessible to Partners?  Something like a Licensing Guide that is really meant for Partners only?

I did not report it at the time as the Download was never meant to be Private...

Thanks Marianne,

While the issue in this new comment is different than the one you originally reported it is something that should be looked into.

I do know we've set up special areas for groups, like the Developers, where they can post private files (like SDK downloads) that are only visible to group members.

I'm sure similar something can be designed to push attachments to private posts into a private area of the server. I believe this is a feature of Drupal 7 so it may require a platform upgrade.

Thanks, as always, for your feedback.

Kevin

Thanks Kevin

My last post was merely an illustration of how attachments to posts that are not meant for public viewing, can still be accessed publicly if link to download is known...