Adam:
There is no file storage security risk. Even you use this system of DNN, the experienced developers can still download your images.
If you really like this file storage system, just create your own dialog and call the dnn internal code.
First thank you for the response!
Sorry Adam, there are really some file storage security issues with the Cute editor DNN integration. Some other DNN users have already mentioned those issues too. We have run multiple tests to check out all possible scenario's. I really wonder how even the experienced developers can download image files with the file extension ".resource"?? Even when u knows the exact url of the images, you still will get access denied error. I though .Net framework protects .dll, .resx, .resource, .vb, .cs files etc. for downloading.
No hard feeling man, we do like your editor. On 1 of our live server we have 1 DNN installation with more than 70 portals and Cute editor works great. But Cute Editor DNN integration really needs some improvements/fixes:
- improvement: each DNN portal should have a separate configuration file since 1 DNN installation can have unlimited numbers of portals. Mostly each portal has it's own requirement.
- security fix: Users shouldn't see the secured DNN folders and files in any Cute Editor dialogs if they don't have Read access right.
- security fix: Users shouldn't able to upload file to a secured DNN folder if they don't have Write access to a folder.
- security fix: When user upload files (no matter what kind of files) to a secured DNN folder, it should rename it's extension to ".resource". So no 1 can download the files directly.
- security fix: When user create a link to a file in secured DNN folder, Cute Editor should then create a special hyperlink as i mentioned.
By the way, our R&D team have started to develop our own dialogs to fix these issues last week. They are close to finish the last details now. So we can replace the dialogs end of this week. Please re-check the issues i mentioned when you have more time, maybe you can improve the DNN integration in the future releases.
Thank you for your time.