Disallow anonymous users from viewing image & file URLs


(Jeff Atwood) #5

This really screws up CDNs so it is a much harder problem than it looks.


(Sam Saffron) #6

Yeah, you would have to give up on CDN for images or come up with a very elaborate config on fastly if such an option were to exist


(Erlend Sogge Heggen) #7

Giving up on CDN is a perfectly viable solution in such a case though, since communities under complete lock-down would never surpass a few thousand users and will never see crazy spikes in traffic.


#8

We would want this feature and would happily not use a CDN (we aren’t using one now anyway).


#9

I am trying to push Discourse as our new forum software (coming from vBulletin), but this might be considered a blocker by the other members.
We deal with very sensitive and personal content, and I believe the idea that an image can potentially be viewed by anyone on the web will scare some of them. Privacy is the #1 concern.


(Chris Croome) #10

I have hit exactly the same issue as @jrgen highlighted and fear that the only option might be to delete all the images transferred from vBulletin and then make it very clear to people that they should only use images for their profile and background that they are happy being potentially publicly associated with their username. Because profile images have URLs like this: https://forum.example.org/user_avatar/forum.example.org/chrisc/120/26_1.png (background image URLs are not so bad since they contain a random string).


(Stephen Chung) #11

Forums with sensitive info almost never use CDN to serve those assets. If they do, it is an elaborate setup.

I have business critical and company confidential info inside the forum and technically it is all downloadable by anybody who can guess the name.


(Chris Croome) #12

For one client I setup a Discourse server behind a HTTPS only Ngnix reverse proxy with HTTP Authentication to prevent data leaks of this nature, technically it worked fine, however the usability issues raised by the need for people to enter two usernames and passwords was far too much for non-technical users to cope with so for this reason Discourse was unusable for this job.

Deleting or not allowing images isn’t really practical either — the only workable solution to this is for there to be a settings tick box, for images, as suggested in the first post in this thread:

We do already have a setting for prevent anons from downloading files, so the suggestion is to have something similar, but as a global flag for all images & other uploads.


(Chris Croome) #13

The client I’m working for at the moment on this is willing to pay for a plugin to solve this issue, see:


(Jeff Atwood) #14

We would like to tackle this problem, and have a setting that forces all images and attachments to require a login to view. I think it is a completely valid use case. It is kind of difficult, though. If you wanted to work on it we could fund that work.


(Jay Pfaffman) #15

I started working at a way to get nginx to enforce downloads only for logged in users, but haven’t yet figured out how to do it that way.

I think that it should be reasonable easy to do it with this:

http://nginx.org/en/docs/http/ngx_http_auth_request_module.html


(Stephen Chung) #16

Using such a middleware has the additional benefit of being able to track and trace and log access to sensitive assets, count such access, and run statistics on requests!

EDIT: And you can then fine-tune the access permissions by user, or allow only users that can view the post(s) linking to the asset to download it.

The bad thing is… probably a custom nginx need to be built. That would probably complicate the setup, so this shouldn’t be something that comes as default, right?


(Jay Pfaffman) #17

No. It seems that the stock nginx has all the stuff.


(Stephen Chung) #18

Yup, but not build in by default. I suppose a custom built is needed to include the module.


(Jay Pfaffman) #19

No. I added code to use the module in a standard container and the needed parts seem to be included.


(Chris Croome) #20

There is now a plugin available for preventing unauthenticated users accessing images, Discourse Images Guardian:

This has been written by @mbcahyono and was paid for by a client, after advertising the job here, we are very happy with the result.


(Erlend Sogge Heggen) #21

Wonderful!

@mbcahyono could you please create a new topic for the plugin in #plugin?


(Chris Croome) #22

The Discourse Images Guardian plugin no longer works with the latest Discourse beta — you can’t set a URL for the logos any more so all images now require authentication, this results in the site logos returning 404’s for non-authenticated users, I have opened an issue for this on GitHub to see if we can find a way to solve this.


(Chris Croome) #23

The Discourse Images Guardian has been updated by @mbcahyono so it now works with the latest Discourse beta, I have deployed it to a couple of servers running v2.3.0.beta1 :slight_smile:.


(Chris Croome) #24

The Discourse Images Guardian plugin doesn’t currently work with the latest Discourse v2.3.0.beta5, I have had to disable it on a couple of sites. I have raised an issue for this on GitHub and hopefully @mbcahyono will have a suggestion for a fix for this soon.