Hi,

My site is a hosted intranet service, so I need to re-assure my clients that their data is secure. I need calendar funtionality (not registration) for the site and your event calendar looks pretty good for that. However, I notice that the attachments (which my clients will use for minutes of meetings etc) use a URL that directly links to the documents (rather than, say the dnn LinkClick API). This means that once you know (or can guess) the URL you can access the document from any browser without any authentication at all.

Is there any way to prevent this with the current version of event calendar. I understand that if the attachments are about public events this is not really an issue but, for me, this completely prevents me the product if it can't be solved.

Cheers,

Russell.

Russell,

Thanks for reporting this issue...

How about if we change that URL to attachment to a link button? which means it is not a direct link to the document, rather when they click on the link, the document will be downloaded.

Essentially the documents are still saved in the same location as how it is saved now. But the user wouldn't know where is the document being stored as there is no direct link exposed.

Will that be ok? Of course if we can rename the file or encrypt the file will be the best solution, but we may only add such features in a future release.

Thanks.

Hi, Thanks for the quick response. Hiding the URL would be better but obviously doesn't really close the security loophole. For example, if Google were allowed were allowed to crawl the site, I suspect you would be able to google the unprotected files. I have been doing a bit of research, however, and the world is not the way I thought it was. Here is what I learned:

1. Because I hadn't set up a secure folder in DNN, all the existing, non-invenmanager, file links on my site aren't secure! They don't contain the name of the file but you can still copy them to another browser and use the link to download without security.

2. When I created a secure folder, all the file links in my other modules become secure and can't be accessed from outside DNN. From this article - http://www.mitchelsellers.com/blogs/articletype/articleview/articleid/167/pageid/83.aspx - I gather they are renamed and managed by the URL control.

3. I notice that the the Invenmanager celendar also uses the DNN URL control, so I expected it to become secure if I used a secure folder. What happens is that it recognises the secure folder (I see the little padlock), allows me to attach the file but produces a "HTTP Error 404.0 - Not Found" when I try to download the file. This is little too secure - no-one can see the files ;-)

So I'm wondering if by using the URL control Invenmanager is almost there and just needs some tweak to use DNN secure folders. As usual, finding documentation for the URL control is not easy but I have read something about having to call an UpdateTracking method after using the URL control. Not sure if that's any help.

Cheers

Hi,

We will consider this in the future updates...

Thanks, that would be great.

It does give me a problem, though. I need to add calendar functionality now but, if I use Event Calendar, I can't secure my folders. I know you can't make a firm commitment but can you say what kind of timescale you expect for a fix? If it's a few weeks I can wait but if it's more likely to be months I can't. I haven't been able to come up with a workaround for the current version apart from leaving my folders unsecured.

Well, actually I am working on a list of over 30++ minor enhancements, and this came in as a surprise....

I did not consider the security issue with the attachments, as I thought since it is in DNN folders it will be exposed.

I will consider this when I develop the next release to see what is the good way to handle this and also make it compatible with the existing data.

Ok, I understand. I'll just have to weigh it up and decide.

Cheers,

Hi - I guess this didn't make 3.1, which is understandable. It's quite a problem for me, however, as it leaves files not as secure as I want them. Do you have an idea yet of when you might look at this? I guess you are busy with following up 3.1 at the moment, so perhaps you don't.

Russell,

You are right, there are many response for the v3.1, so we will have to look at this at a later time.