If someone would know or guess the absolute path and file name name of certain TNG media files of a given TNG site, one could fetch that file(s) without logging in, even if that media would be linked to living persons and been barred for a regular user. I could do this on my own site by looking at the thumbnail of a media of a living person, editing the link information of the photo by right klicking on the media, logging out, and then paste the data to a browser, i.e.

https://www.someTNGsite.com/photos/thumb_xyz.jpg   ... 

Omiting the thumb_ prefix, giving the absolute path to the file : 


And voilà, the photo can be seen in the browser, without having to go through the login procedure. I have tried this on some other systems and I could get some media files there, too.

In short:
If pointing the browser to the main home page  https://www.someTNGsite.com , one would have to log in, and be given the user access rights.
If pointing the browser directly to an existing file name like https://www.someTNGsite.com/photos/xyz.jpg that file would be transferred, without having to log in, and access restrictions are ignored.

I have tried this on TNG 11.0.1, TNG 11.0.2 and TNG 12.1 systems. Is this the normal wanted behaviour of TNG? Is this because of misconfigurated systems (i.e. do we have to enter manually restrictions on some  .htaccess files)? Or do we have some security issue here?

Thanks for looking into this.


If the site is setup so that people are required to log in to see something, and the setting for "Always viewable" for any particular media item is NOT checked, then the thumbnail should not be visible on the person's profile page at all.


