If I create a forum post and upload an image/file. The URL for the image will load regardless if you have permissions or if you are even logged in.
AFAIK that’s by design. It’s how the “assets for site design” thread can sit in Staff, but still be used for anonymous access site-wide.
Hmm, the design won’t be appreciated by those who host closed forums centered around private, proprietary or non-free content.
This should be documented (if not redesigned). I didn’t know about this and I’ve been planning to launch a site where restricted attachment access is very important.
Generally such sites are not public anyway, are they? And there is a setting to restrict anon access to attachments as I recall. Check your site settings. Yes, there it is… Look in Files section of Site Settings.
This is what you are referring to right?
So the site is set to private, you need to be able to login to see any of the categories/content. I went to create a new topic, uploaded an image via the upload button on the post compose window. The image uploaded fine and posted to the site. I can right click on the image, grab the URL and then another user not logged into the Discourse instance can see that image without any issues.
FWIW, the same can be done with private/restricted photos posted on Facebook, too, like this ultra-sensitive one that has the highest security settings (“Only Me”):
I am pretty sure this protection only applies to attachments and stuff that goes through our rails app, images do not.
Probably the only solution then is to only allow LAN and VPN access to the instance only then.