There is a lot of complexity here that is missing from the discussion. Let me try to unwrap some of this. There are a bunch of types of uploads Discoruse can get:
- Totally public uploads, (category is not read restricted, or a PM)
- Semi private uploads, (category is read restricted)
- Private uploads (category is a PM)
To add a bit more complexity here
- Topic can transfer between states, a PM can become a public topic, a public topic can becomes a semi private topic and so on.
- Uploads can be images or files
- Topics can get deleted
- We always prefer to use a CDN for images
And layer on some more complexity uploads can be images or attachments (uploads that are not images)
We implement 2 security mechanisms at Discourse.
Increased barrier security (GUID for images)
ACL based security, you must be both logged in and have access to a topic to download attachments. (Eg: when you upload a text file or zip file or whatever)
ACL based security kills the option of using a CDN, you simply can not have the image live on the CDN in any “simple” way without jumping through insurmountable hoops to server an asset from a CDN and check with Discourse for security.
Increased barrier security ™ is not 100% safe and can in certain cases leak out if you forward an email and then your friend forwards the emails again and so on.
So, to answer the original question here.
No, GUIDs for filenames are not 100% secure under all conditions. Nothing is really.
They are absolutely unguessable, however people can leak them out if they want to.
But what about people taking “screenshots” of a page at Discourse and sharing them? How do we stop that problem?
I do feel that since
- We want to keep the CDN working
- You can not guess a GUID
This is secure enough for image uploads, though if you were running some sort of MEGA private site I would be totally open for a site setting that passes all images via the ACL path as well and disallows CDNs.
I do not want to introduce a “simpler” mechanism (eg: id only) for public topics cause of the portability problem. It makes the code that has to change a topic to a PM or and code that changes security need to be much smarter and rebake posts and so on.
To conclude I just don’t see what we have now as having any major issues, but open to improvements for MEGA private installs that care not for CDNs.