Steps to reproduce:
Now you can observe that clicking on the original media attachment works fine, but clicking on the quoted/copied media link (even though it is the exact same link) leads to error page:
I suspect it might have to do with the referrer tag because that is the only difference.
I am not sure this is an allowed used case, secure media means that the media is strongly associated with a post and this is depending on loose association.
@martin can confirm later this week
Thanks for your reply!
If the intention is that the media is associated with the post then there is a much bigger “bug”, because as it works right now, you can copy the url to the media (it looks like this https://www.my.domain/secure-media-uploads/original/1X/db86496651c78aa64adbe43b2907654555002.pdf ) and simply share it with anybody who is logged in to Discourse, and they can paste it in their browser address bar (without even opening Discourse) and download the file.
This feature only works with s3 and it is unclear if you have it enabled or not?
Yes, S3 is enabled. Otherwise I wouldn’t be able to use “Secure Media”.
Well I recommend you test this a lot more carefully, post an image in a pm and notice how end users without access to the pm do not have access
If logged in users have access to the post with the pdf they can download it
ah, that is a good point. I will test it right away.
EDIT: Ok apologies, you are right, only users with access to the post can download the media. Still, it is not limited to actually clicking on the post link, so given that the link was copied, and the user has access to to original media - I still think it should allow to download it without forcing the user to copy-paste the URL to his address bar
I will try to take a look at this for you this week, thanks for the report.
Sorry for the delay, this is fixed by https://github.com/discourse/discourse/pull/11348