On Login required, assets are still accessible to nonautheticated users


(blaumeer) #1

My Discourse setup is Login required: Require authentication to read content on this site, disallow anonymous access.

I noticed that uploaded files are accessible to nonauthenticated users, for example:

Do you see the above image? (Giorgio Manganeli, an Italian poet)

The same applies to CSS:
https://eulalia.nazioneindiana.it/uploads/stylesheet-cache/desktop_bc1a66faad412b857009abb078cfd75641168a97.css

I did not test extensively for other assets.


(Sam Saffron) #2

To get this to work as you desire every asset would have to go via the rails process, something that even with sendfile would add a cost.

Not easy to fix at all.


(blaumeer) #3

Thank you Sam. In fact, I do not “desire” it, but I am trying to understand what (very broadly defined) level of privacy Discourse provides, and it seems that the best setup is a public setup where you assume everything is public by default.


(Gerhard Schlager) #4

IMHO, on private forums files uploaded by users should only be accessible to authenticated users.
I can’t imagine that using X-Sendfile will use lots of processing power…


(Sam Saffron) #5

it means we need to ship a custom nginx config and build a proxy route, not impossible but annoying to wire up.

if a paying customer pushes us to build this or someone contributes, so be it.

but not on our roadmap for now.


(system) #6

(Sam Saffron) #7

This is now on the roadmap, assigning to myself and will update once we make progress here, expecting some sort of solution here within 6-12 months.