Login required = Cannot download if not logged in?

(Stephen Chung) #1

My site is login required.

However, I make sure that prevent anons from downloading files is OFF.

Still, simply trying to access a link to an uploaded file will get an error page saying the link doesn’t exist.

Accessing the same link while logged in as any user will download the file.

(Jeff Atwood) #3

Hmm, are you sure that’s the case? Test that assumption. What kind of “files” are you referring to here? png? jpg? word documents? There is a big difference between

  • stuff carried by the CDN (aka images, etc)
  • stuff not carried by the CDN

(Stephen Chung) #4

In this case it is a PDF file.

I am not using a CDN.

EDIT: JPG and PNG images all download fine, even when login required is ON. All non-image file types don’t seem to get through.

(Jeff Atwood) #5

Hmm, any thoughts here @zogstrip?

(Felix Freiberger) #6

I’m pretty sure this is intentional. If I remember correctly, attachments always go through the permission checks while images are served by Nginx directly for performance reasons and because images are typically less sensitive.

(Jeff Atwood) #7

Right but that does not seem to be consistent with the setting referenced in the first post, for “real” attachments.

(Régis Hanol) #8

@fefrei is right, images are always served via NGINX and attachments always go through the application stack.

The check for login_required happens first in the stack but we explicitly skip it for the action showing (downloading) attachments.

But, we check for login_required in the show action and return a 404 only for the main site.

@sam added that 2 years ago in order to keep previous behavior. Do you remember why?

(Sam Saffron) #9

I vaguely recall this is multisite CDN related, cause then you can not origin pull … very vague memories on that though and attachments don’t go via the CDN… so … yeah … I am stumped at why I did that.

(Jeff Atwood) #10

Should this be … un … done? If something weird goes in, we should leave a comment explaining why.

(Sam Saffron) #11

Sure … removing that line for now.

done per: FIX: allow login required sites access to attachements · discourse/discourse@a92f61e · GitHub

(Jeff Atwood) #12

Does this fix it for you @schungx, with the caveat that CDN served resources (gif, jpg, etc) can’t really be handled from a permissions perspective because they never hit the Ruby server code in Discourse?

(Stephen) #13

I can dig out the thread, but back in 2015 there were several specific requests to ensure non-image attachments were protected in login required sites. Will this revert that?

(Sam Saffron) #14

I am not sure if we had prevent_anons_from_downloading_files cause now that we have that, if you want that specific behavior just turn on that switch.

(Stephen Chung) #15

I’m fine with it since I don’t use a CDN. It is a private forum. :sunglasses:

However, I think letting images through should be fine as this has always been the default behavior.

Blocking attachments is a bit of a hassle when running a private forum and sending out links to people who get it via email, click on the link, and find that it either doesn’t work or they have to log back in first and then re-click the link.

Allowing attachments to go through solves this hassle.