media library security users see others media

  • I have found that other logged in users can view the media / pics etc that other logged in users have uploaded. I searched the forums (https://www.ads-software.com/search/hide+media+library+users?forums=1 ) and found a few half cocked answers where some users think that using adminimize to hide the media button in the dashboard fixes it – but the media library is still accessible through the post editor pop up window, so that is not a solution.

    I see some users using role scoper to hide media not uploaded by other users – but that only restricts a portion of the files uploaded by other users, and still leaves several pages of other user’s uploads visible / usable / accessible to other users.

    I think this is a serious security / privacy issue, so I am hoping there is a better solution.

    This particular situation I am having was a wordpress NON-Multisite where “anyone can register” and users were auto created as “author”.

    At first it appeared that all files uploaded via the photosmash plugin were all available for other users to see. When I added role scoper, it removed many of the media files from other users – but images removed from the photosmash gallery that were removed from the gallery (but still left in /uploads/ were viewable by other users (I am guessing they became “unattached media files” so role scoper could not figure out they “belonged” to other users.

    So I deleted all those unattached files, and wordpress still shows several pages of images uploaded by other users that are attached, even with role scoper hiding many others.

    Recent testing shows that new uploads to the media gallery by site admin (to use on theme, hmm. I guess they are technically unattached to a post) – are visible to other users.

    This seems to be an issue with unattached files and files that were uploaded and saved in an auto draft.

    I added buddypress and buddypress album to this multi-author blog install, but did not convert it to multi site. I have not had a chance to test to see if images added through buddypress profile / avatar uploads or the buddypress album have the same cross-user-media-viewing issue or not.

    Simply trying to give users a way to upload and post pics without going multi-site – is there no fix for this?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Thread Starter djsteveo

    (@djsteveo)

    It is my hope that the wordpress gurus will find time to add this as a security / settings options for WP when multiple authors are using the same site – and consider the ramifications for buddypress installs with this as well.

    Luckily the plugin author for role scoper has updated his code in the development version of his plugin that has now blocked the access of users seeing other user’s unattached media files. As of this writing a regular author is still able to see the unattached media files that the admin of the site has uploaded and that are unattached (images uploaded for them headers are all accessible to regular users) – but my fingers are crossed that the role scoper author will get that part figures out as well. I donated to the plugin creator there for taking on such an important task – I hope that code finds it’s way into core in future updates.

    Search: https://www.google.com/search?q=wordpress+restrict+media+uploader&ie=UTF-8&oe=UTF-8

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘media library security users see others media’ is closed to new replies.