Closed maxime-rainville closed 4 years ago
Agree with the high impact rating here. Good find @maxime-rainville!
Very high impact. Especially if the client is paying for extra disk space, yet cannot delete the files that are using it. High impact bug but havent seen any movement on it?
It's nearly a security issue, not just a bug.
If this is affecting you or your clients, contributions / PRs are welcome.
Fixed in https://github.com/silverstripe/silverstripe-versioned/pull/286 Unit test PR (requires versioned PR above to be merged first) https://github.com/silverstripe/silverstripe-assets/pull/412
New issue for deleting physical files https://github.com/silverstripe/silverstripe-assets/issues/413
Linked PR's have been merged and merged-up from 1.5 -> 1.6 -> 1
A new issue has been created to retrospectively fix up any modified assets that were published and later deleted. We don't have an ETA of when that issue will be actioned.
It was determined that this was not a security issue since any assets in the public store were there because a CMS author had at some point consciously chosen to publish the asset and make it publicly accessible
"It was determined that this was not a security issue since any assets in the public store were there because a CMS author had at some point consciously chosen to publish the asset and make it publicly accessible"
Sorry but this is a huge assumption. I can think of many examples where the security/sensitivity level of a file changes over time. Something that is not seinsitive one day could indeed be sensitive the next, and should be able to be deleted from the assets store (in all its aspects) with trust that the physical file and versions have been deleted as well.
Description
If you have a file that has different published and draft version, and you try deleting it, the published version won't be deleted.
Steps to reproduce
Expected result: You should get a 404. Actual result: The file is still available and has not been deleted.
Video show case in Silverstripe CMS 4.4
Affected version
Note
This only happens if someone has used the "replace file" feature to upload new version of the file without publishing it. My guess is that when deleting the file, asset discovers the draft version first and delete that without looking to see if there's a live version to delete as well.
I'm thinking this might be related to https://github.com/silverstripe/silverstripe-assets/issues/345
Acceptance criteria
keep_archived
is enabled, the live file is archived to the protected store.===
PRs
Travis kitchen-sink with new fix + assets units tests
New issue created to delete files
===
Others PRs to close after merge
Travis kitchen-sink with original code fix + assets unit tests