Image URLs still work if you aren't signed in


(Jared Needell) #1

If I create a forum post and upload an image/file. The URL for the image will load regardless if you have permissions or if you are even logged in.


(Stephen) #2

AFAIK that’s by design. It’s how the “assets for site design” thread can sit in Staff, but still be used for anonymous access site-wide.


(omfg) #3

Hmm, the design won’t be appreciated by those who host closed forums centered around private, proprietary or non-free content.

This should be documented (if not redesigned). I didn’t know about this and I’ve been planning to launch a site where restricted attachment access is very important.


(Jeff Atwood) #4

Generally such sites are not public anyway, are they? And there is a setting to restrict anon access to attachments as I recall. Check your site settings. Yes, there it is… Look in Files section of Site Settings.


(Jared Needell) #5

This is what you are referring to right?

So the site is set to private, you need to be able to login to see any of the categories/content. I went to create a new topic, uploaded an image via the upload button on the post compose window. The image uploaded fine and posted to the site. I can right click on the image, grab the URL and then another user not logged into the Discourse instance can see that image without any issues.


(Michael Downey) #6

FWIW, the same can be done with private/restricted photos posted on Facebook, too, like this ultra-sensitive one that has the highest security settings (“Only Me”):

https://scontent-ord1-1.xx.fbcdn.net/hphotos-xal1/v/t1.0-9/11990493_10155966015010285_6629972303587906213_n.jpg?oh=7bd60273a099deef52e59de67cac2429&oe=566782E7

https://scontent-ord1-1.xx.fbcdn.net/hphotos-xal1/v/t1.0-9/11990493_10155966015010285_6629972303587906213_n.jpg?oh=7bd60273a099deef52e59de67cac2429&oe=566782E7


(Sam Saffron) #7

I am pretty sure this protection only applies to attachments and stuff that goes through our rails app, images do not.


(Jared Needell) #8

Probably the only solution then is to only allow LAN and VPN access to the instance only then.