Attachments available to any user with link


(James Milligan) #1

Repro

  1. Create a restricted category, and post an attachment in there.
  2. With another account, one that doesn’t have access to the restricted category, try and access the uploaded file (e.g. the original user has copied the link, perhaps in a forwarded email by mistake)
  3. User is able to access the file

This is more a people issue rather than a technical one I think, since instead of sharing the link, they could just email the attachment themselves anyway. If there is, however, any way of validating permissions before allowing access to an attachment that could be worthwhile, even a Good Thing™?


Setting/Ability to Require account to download files
Setting/Ability to Require account to download files
(Sam Saffron) #2

Technically we can do this, a bit of an internal redesign is needed though. Its not an easy job.


(Jeff Atwood) #3

What if the same attachment link appears in both a public and a private topic?

I’m just not convinced it is the role of the topic to enforce this, I think attachment permissions should be specified elsewhere.


(Sam Saffron) #4

Yeah it is a can of worms, I guess you would set permission at the time of attachment upload. But, its a very big piece of complicated work.


(Tobias Eigen) #5

Could the attachment not have a different hashed URL for each post it appears in so indeed the permissions follow from the post? And only allow access to it if the user also has access to the related post?

This is a fairly serious issue because the presumption is that the attached file has the same security settings as the post it goes in… this is not true at the moment and may result in unpleasant surprises. In the meantime and until this issue is solved, how about adding a warning note to the upload interface along the lines of “Note: attachments to posts in this forum, even in secure categories, are available to any user with the attachment URL.”

On a related note, will google be spidering the attachments? It would be a shame and a surprise to users if uploaded attachments to private groups appear in google searches.


File attachments in restricted categories should be restricted
(Jeff Atwood) #6

These are strange presumptions! Do you assume that an image you place in a private topic is also private? It can be copied out, pasted, or linked to externally, yes?


(Discourse.PRO) #7

My «Restrict Files» plugin solves the problem of unauthenticated / unautorized access to attachments:


The plugin automatically generates a new attachment URL, so the real file path / url is not exposed.
Now, the attachments are not static content anymore: they served dynamically through the plugin who controls access permissions.
And now you can setup your web server (Thin or Nginx) for permormance and serve the remaining static content (inline images) directly (not passing it to Rails). It can considerably speed up your Discourse site.

Notice:

  • a permitted user sees the real human readable file name when he has downloaded a restricted file.

  • a restricted file has a short, clean URL like http://discourse.pro/file/113
    We do not prohibit users from sharing a private attachment link anymore.
    Quite the contrary the sharing of private attachments by forum members is now in favour of the a forum owner: when someone unauthenticated or unauthorized clicks a private attachment link he sees how to buy the file (or what else he should do to gain the access).
    The plugin is SEO friendly: it does not return 404 blank page on unallowed access (as Discourse core does for attachments available only to logged in), but returns the correct HTTP 401 code for unauthenticated (not logged in) access and HTTP 403 code for unauthorized access with rich HTML customizable messages in the both cases. So Google knows than a private file is not broken, the file is actually exists but restricted.


(Clay Heaton) #8

There’s an article about this problem in the context of Slack that is relevant to this conversation:


(Kane York) #9

I think that the file URLs are the SHA1 hash of the content, but there’s also a sequential upload ID. Not sure where that is used in a url?