Create a restricted category, and post an attachment in there.
With another account, one that doesn’t have access to the restricted category, try and access the uploaded file (e.g. the original user has copied the link, perhaps in a forwarded email by mistake)
User is able to access the file
This is more a people issue rather than a technical one I think, since instead of sharing the link, they could just email the attachment themselves anyway. If there is, however, any way of validating permissions before allowing access to an attachment that could be worthwhile, even a Good Thing™?
Could the attachment not have a different hashed URL for each post it appears in so indeed the permissions follow from the post? And only allow access to it if the user also has access to the related post?
This is a fairly serious issue because the presumption is that the attached file has the same security settings as the post it goes in… this is not true at the moment and may result in unpleasant surprises. In the meantime and until this issue is solved, how about adding a warning note to the upload interface along the lines of “Note: attachments to posts in this forum, even in secure categories, are available to any user with the attachment URL.”
On a related note, will google be spidering the attachments? It would be a shame and a surprise to users if uploaded attachments to private groups appear in google searches.
These are strange presumptions! Do you assume that an image you place in a private topic is also private? It can be copied out, pasted, or linked to externally, yes?
The plugin automatically generates a new attachment URL, so the real file path / url is not exposed.
Now, the attachments are not static content anymore: they served dynamically through the plugin who controls access permissions.
And now you can setup your web server (Thin or Nginx) for permormance and serve the remaining static content (inline images) directly (not passing it to Rails). It can considerably speed up your Discourse site.
Notice:
a permitted user sees the real human readable file name when he has downloaded a restricted file.
a restricted file has a short, clean URL like http://discourse.pro/file/113
We do not prohibit users from sharing a private attachment link anymore.
Quite the contrary the sharing of private attachments by forum members is now in favour of the a forum owner: when someone unauthenticated or unauthorized clicks a private attachment link he sees how to buy the file (or what else he should do to gain the access).
The plugin is SEO friendly: it does not return 404 blank page on unallowed access (as Discourse core does for attachments available only to logged in), but returns the correct HTTP 401 code for unauthenticated (not logged in) access and HTTP 403 code for unauthorized access with rich HTML customizable messages in the both cases. So Google knows than a private file is not broken, the file is actually exists but restricted.