Attachment / Upload email links now throw 404 if not logged in (SSO)


(Wes Osborn) #1

I’ve been getting user complaints since our upgrade to v1.8.0.beta1 +3 last week, so this seems to be due to a recent change (sorry we don’t have an older environment for me verify).

We are an environment that requires all users to be logged in via SSO to be able to interact with our forum.

Before the upgrade, a user could click on a link to a file in their email (either from a digest for mailing list mode) and download the associated file. It appears this could happen even if they weren’t logged into Discourse.

After the upgrade, when a user clicks on a link to a file from their email and they haven’t logged in, they get a 404 error.


What were getting is regular complaints from users that the links we’re sending via email are broken because they don’t know that they need to log in FIRST and then click on the link.

While I’m in favor of not allowing them to view the file until they log in, it is confusing to them that it generates a 404 error. I think that a 401 or a 403 with the prompt to log-in via SSO would be more appropriate.


Mailing List Replacement : Email Attachments
(Jeff Atwood) #2

Have you enabled the site setting to disallow downloads for anon users? Can you repro this here on meta?


(Wes Osborn) #3

No, that setting is not enabled:

Doesn’t meta allow read-only even if you’re not logged in? Our site doesn’t allow you to do anything until you’ve logged in. In order to fully repro, I’d need another site that requires you to be logged in for all transactions (and preferably logged in via SSO).


(Jeff Atwood) #4

Not sure, maybe @zogstrip can take a look next week. This must be login-required specific?


(Wes Osborn) #5

Still seeing this on v1.8.0.beta4 +72. Wondering if something similar to what was done over here could be put in place for upload links:


(Régis Hanol) #7

I think @techAPJ fixed that issue recently. Can you update and confirm?


(Arpit Jalan) #8

I did not fix this particular bug. What I did was show a nicer 404 page (as opposed to blank page) when trying to access an attachment as anon.

Okay, so I believe you have “login required” setting enabled? If yes, an anonymous user can’t view/download that attachment because they are not logged in.


(Wes Osborn) #9

Yes, we do have the setting enabled and we appreciate that Discourse no longer allows to download the attachment without logging in. But we are still having some confusion from users that get an email notice, click on the link to download the attachment and because they weren’t already logged in are confused about what their next step should be.

I upgraded last night and the Oops page is an improvement over the generic 404 we were getting before. However, I notice that if you do login from that page, you aren’t redirected to the attachment or the post with the attachment, instead you just land at the “root” of the site.

Has there been any thought to redirecting the user once they login to the URL that they were attempting to originally access? (I’m happy to open that as a separate feature request as I think that happens from other pages as well.)


(Jeff Atwood) #10

I believe you get redirected from other URLs on login but feel free to test and let us know.