My «Restrict Files» plugin solves the problem of unauthenticated / unautorized access to attachments:
The plugin automatically generates a new attachment URL, so the real file path / url is not exposed.
Now, the attachments are not static content anymore: they served dynamically through the plugin who controls access permissions.
And now you can setup your web server (Thin or Nginx) for permormance and serve the remaining static content (inline images) directly (not passing it to Rails). It can considerably speed up your Discourse site.
Notice:
-
a permitted user sees the real human readable file name when he has downloaded a restricted file.
-
a restricted file has a short, clean URL like http://discourse.pro/file/113
We do not prohibit users from sharing a private attachment link anymore.
Quite the contrary the sharing of private attachments by forum members is now in favour of the a forum owner: when someone unauthenticated or unauthorized clicks a private attachment link he sees how to buy the file (or what else he should do to gain the access).
The plugin is SEO friendly: it does not return 404 blank page on unallowed access (as Discourse core does for attachments available only to logged in), but returns the correct HTTP 401 code for unauthenticated (not logged in) access and HTTP 403 code for unauthorized access with rich HTML customizable messages in the both cases. So Google knows than a private file is not broken, the file is actually exists but restricted.