The old big issue to set uploaded file in resources …
really a big issue here …

PR: https://github.com/LimeSurvey/LimeSurvey/pull/2494

But : user file list are pot part of survey resources !

I really think we mist not import : it's part of response not resoures

The fix must be

• export resource didn't export fu_ file

New feature

• export user file export fu_ file
• import user file

If fileuploads are exported on resources now and app is intending to upload them, the bugfixing would be to allow them to be imported.

it's part of response not resoures

From my point of view, that is a reorganization, another ticket

Personally i clearly not merge like this …

And it don't fix the issue …
Set ressource upload allowed to png,jpg,gif
set file upload allowed to doc, docx, odt

You don't import the uploaded files ⋅

From my point of view, that is a reorganization, another ticket

fu_ file is part of response, it's not a point of view here, clearly not …

@c_schmitz... what do you think?

fu_ file is part of response,

I agree with that.
The discusion is about when to make them exportable/importable.

I believe is a new feature. You said it also.
So the current ticket needs to find a way to allow the current feature implemented to work as expected.
That is allow people to upload fu_ files with the resources.

The fix must be: export resource didn't export fu_ file

So the fix is to "not allow"?

So the fix is to "not allow"?

No : the fix is don't export user files as survey resources :)

Gabriel an Me are unsurfe on the fix to do.

Me : don't export : it's not survey ressource (and create a new fetaire import/export user file)
Gabriel : leave it for export, then try to import it

PS : in general : whe n i have user files : size of zip get more than 50 Mo … i prefer to don't have it in ressources …

Yeah, I'm a bit unsure. Gabriel's fix has no immediate security issue or danger to it, tho, right? But as Denis remarks, it's not 100% tight either, due to different settings in permissions (resource file upload vs question file upload). I guess we can both merge this and plan a more solid solution together?

@DenisChenu, do you want to remove browsing response files in the resource file manager? Or what's your idea there?

OK, ready for testing

1st : allow to expprt wothout user file (second button)

But what i want really ? Allow to save on another directory : save out of web access. It's a bug reported since years now …

User with apach have .htaccess, user with nginx or IIS are not protected

    #Disallow direct read user upload files
    location ~ ^/upload/surveys/.*/fu_[a-z0-9]*$ {
        return 444;
    }

@ritapas maybe you can help by testing the PR?
https://github.com/LimeSurvey/LimeSurvey/pull/2494

@DenisChenu, you can put uploaddir outside your web dir, no? In config.php.

@DenisChenu, you can put uploaddir outside your web dir, no? In config.php.

No because resource file is used for img source or PDF link in survey.

upload/survey MUST be in web dir
upload/theme can be out of web dir IF debug is not set (debug + registerCss : file need to be in web dir)

@gabrieljenik is the fix inside last release?

No because resource file is used for img source or PDF link in survey.

OK, got it

@gabrieljenik is the fix inside last release?

@ritapas No, in this PR
https://github.com/LimeSurvey/LimeSurvey/pull/2494

I think you have dealt with PRs before, right?

Thanks

@gabrieljenik sorry no, but I will seek for help

@ritapas You can also give us the lss and zip file needed to do the test.

@ollehar sure, I am glad to help.
Here you are the lsa and zip file.
The problem indeed is when importing resources that participants send us as "file uploads".

Hello,
I managed to incorporate the new code in our environment.
I seems to be working fine, except for complaining about the index.html file.
Is there a reason for it always being added to resources and the being impossible to upload back?

Screenshot 2022-08-08 at 17-27-52 LimeSurvey DEV.png (24,430 bytes)   

Screenshot 2022-08-08 at 17-27-52 LimeSurvey DEV.png (24,430 bytes)   

@ollehar Maybe we can allow html?

Not sure about XSS there, since HTML also includes script tags and external links.

Well. JS is already accepted.

If not, how shall it be handled the latest comment from ritapas?

as far as I have seen since now, the index.html only contains the following:

%%
<html><head></head><body></body></html>
%%

sorry, I meant
<html><head></head><body></body></html>

but I thought that needed some escaping to avoid tag parsing

@ollehar will leave it up to you.

Should we allow it or wrap up the fix without allowing it?

Pinging Carsten for comment.

I think the whole PR is not the proper way to fix it.
IMHO response files should be part of survey archive export/import as an option, not of survey resources.

i would agree

response files should be part of survey archive export/import as an option, not of survey resources.

I agree that FU should be separated from responses, but that's a concept change.

I think the whole PR is not the proper way to fix it.

Obvisouly don't agree :) haha
I understand is not the long term fix.
But more like a fix according to the current situation and current concepts.

The bug is: with the current concepts, why it doesn't work?
The PR is a fix for it, allowing the current implemented feature to work as expected.

response files should be part of survey archive export/import as an option, not of survey resources.

We could do another ticket for allowing that, but would be a bigger change.
Not a fix in the code, but a change in the expectations.
That's why it would be a another ticket,

Question is: If this allows the current implemented feature to work, why would we need to block it?
Can;t we just release it and then prioritize the bigger change?

Maybe best is to do not add fu_XXX file in resource zip export for the 1st PR ?

I'm OK to fix it like this (next week)

Maybe best is to do not add fu_XXX file in resource zip export for the 1st PR ?

Then the FU will not be exportable at all.

Comments from chat iwth Cartsen:
What is missing, besides the place where the import is happening, ...

• Validation file belongs to a response
• If orphan files are uploaded, never be able to delete theme as no browser

Considerations:

• What happens if you activate and deactivate.
• Solution needs to be backward compatible.