neue medienordnung plus
  last edited: Tue, 14 Nov 2017 02:59:07 -0500  
  • I created webpage WPB http://dummy.org/page/wpb on channel B with [observer=1/0] protected content
  • I created Token TCA for channel A zat=tca
  • I open webpage WPB with token for channel A
  • I see protected content in webpage WPB
Hubzilla version 2.8.1

@Mike M. closed the issue https://github.com/redmatrix/hubzilla/issues/909 , but I mean, that is one bug, that Hubzilla display protected content in webpage WPB for visitor with Token TCA, that is legal for channel A. Because I created one token for access to channel A, not to channel B.

Similar to Login on Hubs:
  • one valid Login on hub https://hub.libranet.de/ be no permission for login on hub https://macgirvin.com/
  • I anticipate, that one valid token for https://hub.libranet.de/channel/nmoplus be no permission for https://hub.libranet.de/channel/wallzilla
I mean, The actuelle behavior of token solution is a danger for channel security:
malicious user from channel https://hub.libranet.de/channel/A can make one token TCB and get an access to token protected content on channel https://hub.libranet.de/channel/B

Token managament is located by channel owner A. This fact suggested, that the token from channel A is valide for channel A. I mean, that one average user assume, that the tokenized access to content protected their content. What mean you? Please vote pro or contra of this statement:

Token for channel A give no permission to access to via token accessible content from channel B

#tokenmanagement #token @Hubzilla Support Forum+ @Hubzilla Development+
Mario Vavti
  
@neue medienordnung plus the observer tag has nothing to do with permissions or protection as you call it.

observer=1 content will be visible to any authenticated channel and/or guest token allowed to see the content (in terms of is allowed to view your webpage from the acl).

observer=0 content will be visible to any not authenticated viewer.

observer=0/1 basically only works with public content since we need to be authenticated to see restricted content. So any channel viewing restricted content will always see the content of observer=1.
neue medienordnung plus
  
@Mike Macgirvin: Thank you for the detailed answer. I mean, this hack
All somebody has to do is "view source" and they can see whatever it is you're trying to hide.
is not suitable for viewing of with [observer=0/1][/observer] hided content. Can you see, what I hided in this demopage  https://hub.libranet.de/page/wallzilla/vertrauliche-inhalte-freigeben-demoseite_de :-)?

I mean, that without the opportunity "access control at the paragraph level" is it for developer of hubzilla apps very difficult, attractive (killer) hubzilla app to develop.
neue medienordnung plus
  
OK, is my fallacy. And for advanced serverside access control at the paragraph level need hubzilla developer such tools how AJAX with ACL Support - right?

neue medienordnung plus
  last edited: Tue, 14 Nov 2017 02:08:26 -0500  
  • I created webpage WPB http://dummy.org/page/wpb on channel B with [observer=1/0] protected content
  • WPB contains image ImA, that be accesible only for selected vistor
  • I allowed visibility for ImA for token TImA
  • but image ImA is not visible for token TImA
  •   image ImA be visible for token TImA, if I upload/include image ImA after change of ACL for image ImA
Is this beahavior a bug or a feature? I anticipate, that image ImA be visible for token TImA without new upload image ImA after allowing visibility for ImA for token TImA.

#tokenized #tokenizedcontent #protectedcontent #visibility @Hubzilla Development+ @Hubzilla Support Forum+
 ACL
Haakon Meland Eriksen (Parlementum)
  
Right, you need two folders, one for restricted files and one for public files.

ImageB must be under a restricted folder in Files, e.g. Restricted Files, while ImageA is in a public folder in Files, e.g Public Files.

Add the ZAT for OnlyYouAreWelcome to Restricted Files.

Add the ZAT-link to ImageB to the webpage.

I may have got this wrong.
neue medienordnung plus
  
I assume, that with your solution I must all webpages, where include Restricted Objects also declare to Restricted Webpages. Otherwise see other authenticated user without access to image logo.png this message:

Image/photo
Haakon Meland Eriksen (Parlementum)
  
Well, as described just those with the ZAT-link are allowed in, but you can add other people to the Restricted Files folder. I am going to a meeting now, so good luck! :-)