Image URLs still work if you aren't signed in

(Jared Needell) #1

If I create a forum post and upload an image/file. The URL for the image will load regardless if you have permissions or if you are even logged in.

(Stephen) #2

AFAIK that’s by design. It’s how the “assets for site design” thread can sit in Staff, but still be used for anonymous access site-wide.

(omfg) #3

Hmm, the design won’t be appreciated by those who host closed forums centered around private, proprietary or non-free content.

This should be documented (if not redesigned). I didn’t know about this and I’ve been planning to launch a site where restricted attachment access is very important.

(Jeff Atwood) #4

Generally such sites are not public anyway, are they? And there is a setting to restrict anon access to attachments as I recall. Check your site settings. Yes, there it is… Look in Files section of Site Settings.

(Jared Needell) #5

This is what you are referring to right?

So the site is set to private, you need to be able to login to see any of the categories/content. I went to create a new topic, uploaded an image via the upload button on the post compose window. The image uploaded fine and posted to the site. I can right click on the image, grab the URL and then another user not logged into the Discourse instance can see that image without any issues.

(Michael Downey) #6

FWIW, the same can be done with private/restricted photos posted on Facebook, too, like this ultra-sensitive one that has the highest security settings (“Only Me”):

(Sam Saffron) #7

I am pretty sure this protection only applies to attachments and stuff that goes through our rails app, images do not.

(Jared Needell) #8

Probably the only solution then is to only allow LAN and VPN access to the instance only then.