Disallow anonymous users from viewing image & file URLs


(Erlend Sogge Heggen) #1

This came up in an internal discussion. Putting it up here so we can track it.

Discourse image URLs on a invitation-only forum are still publicly viewable. Although these URLs are technically unguessable, e.g.

/uploads/default/original/2X/4/4150d682b0472888f0014f67f8c09852008067d4.jpg

… some internal communities deal in such sensitive information that outright disallowing any viewing of these images would be preferable. We do already have a setting for prevent anons from downloading files, so the suggestion is to have something similar, but as a global flag for all images & other uploads.


Image upload permissions
[PAID-job] Create a plugin to require authentication to access images uploaded to a Discourse server
(Michael - DiscourseHosting.com) #2

Why should there be a separate flag? Just enforce this whenever login_required is set…?
Or even better, use the permissions from the parent category.


(Régis Hanol) #3

I’m thinking we could do it in a middleware, but I’m sure @sam has a better idea :wink:


(Dean Taylor) #4

Wouldn’t this impact the following?

  • Images displayed in email notifications (appearing broken)
  • where images delivered via a proxy (i.e. Gmail)
  • generally in mail clients
  • CDN delivery
  • force cookie based authentication will reduce the effectiveness of a CDN.

(Jeff Atwood) #5

This really screws up CDNs so it is a much harder problem than it looks.


(Sam Saffron) #6

Yeah, you would have to give up on CDN for images or come up with a very elaborate config on fastly if such an option were to exist


(Erlend Sogge Heggen) #7

Giving up on CDN is a perfectly viable solution in such a case though, since communities under complete lock-down would never surpass a few thousand users and will never see crazy spikes in traffic.


#8

We would want this feature and would happily not use a CDN (we aren’t using one now anyway).


#9

I am trying to push Discourse as our new forum software (coming from vBulletin), but this might be considered a blocker by the other members.
We deal with very sensitive and personal content, and I believe the idea that an image can potentially be viewed by anyone on the web will scare some of them. Privacy is the #1 concern.


(Chris Croome) #10

I have hit exactly the same issue as @jrgen highlighted and fear that the only option might be to delete all the images transferred from vBulletin and then make it very clear to people that they should only use images for their profile and background that they are happy being potentially publicly associated with their username. Because profile images have URLs like this: https://forum.example.org/user_avatar/forum.example.org/chrisc/120/26_1.png (background image URLs are not so bad since they contain a random string).


(Stephen Chung) #11

Forums with sensitive info almost never use CDN to serve those assets. If they do, it is an elaborate setup.

I have business critical and company confidential info inside the forum and technically it is all downloadable by anybody who can guess the name.


(Chris Croome) #12

For one client I setup a Discourse server behind a HTTPS only Ngnix reverse proxy with HTTP Authentication to prevent data leaks of this nature, technically it worked fine, however the usability issues raised by the need for people to enter two usernames and passwords was far too much for non-technical users to cope with so for this reason Discourse was unusable for this job.

Deleting or not allowing images isn’t really practical either — the only workable solution to this is for there to be a settings tick box, for images, as suggested in the first post in this thread:

We do already have a setting for prevent anons from downloading files, so the suggestion is to have something similar, but as a global flag for all images & other uploads.


(Chris Croome) #13

The client I’m working for at the moment on this is willing to pay for a plugin to solve this issue, see:


(Jeff Atwood) #14

We would like to tackle this problem, and have a setting that forces all images and attachments to require a login to view. I think it is a completely valid use case. It is kind of difficult, though. If you wanted to work on it we could fund that work.


(Jay Pfaffman) #15

I started working at a way to get nginx to enforce downloads only for logged in users, but haven’t yet figured out how to do it that way.

I think that it should be reasonable easy to do it with this:

http://nginx.org/en/docs/http/ngx_http_auth_request_module.html


(Stephen Chung) #16

Using such a middleware has the additional benefit of being able to track and trace and log access to sensitive assets, count such access, and run statistics on requests!

EDIT: And you can then fine-tune the access permissions by user, or allow only users that can view the post(s) linking to the asset to download it.

The bad thing is… probably a custom nginx need to be built. That would probably complicate the setup, so this shouldn’t be something that comes as default, right?


(Jay Pfaffman) #17

No. It seems that the stock nginx has all the stuff.


(Stephen Chung) #18

Yup, but not build in by default. I suppose a custom built is needed to include the module.


(Jay Pfaffman) #19

No. I added code to use the module in a standard container and the needed parts seem to be included.


(Chris Croome) #20

There is now a plugin available for preventing unauthenticated users accessing images, Discourse Images Guardian:

This has been written by @mbcahyono and was paid for by a client, after advertising the job here, we are very happy with the result.