Create a new topic and drag media (pdf file would do nicely)
Reply to your own topic with a copy-paste of the media (or just quote yourself)
Now you can observe that clicking on the original media attachment works fine, but clicking on the quoted/copied media link (even though it is the exact same link) leads to error page:
I suspect it might have to do with the referrer tag because that is the only difference.
I am not sure this is an allowed used case, secure media means that the media is strongly associated with a post and this is depending on loose association.
If the intention is that the media is associated with the post then there is a much bigger “bug”, because as it works right now, you can copy the url to the media (it looks like this https://www.my.domain/secure-media-uploads/original/1X/db86496651c78aa64adbe43b2907654555002.pdf ) and simply share it with anybody who is logged in to Discourse, and they can paste it in their browser address bar (without even opening Discourse) and download the file.
ah, that is a good point. I will test it right away.
EDIT: Ok apologies, you are right, only users with access to the post can download the media. Still, it is not limited to actually clicking on the post link, so given that the link was copied, and the user has access to to original media - I still think it should allow to download it without forcing the user to copy-paste the URL to his address bar