On Login required, assets are still accessible to nonautheticated users

(blaumeer) #1

My Discourse setup is Login required: Require authentication to read content on this site, disallow anonymous access.

I noticed that uploaded files are accessible to nonauthenticated users, for example:

Do you see the above image? (Giorgio Manganeli, an Italian poet)

The same applies to CSS:

I did not test extensively for other assets.

(Sam Saffron) #2

To get this to work as you desire every asset would have to go via the rails process, something that even with sendfile would add a cost.

Not easy to fix at all.

(blaumeer) #3

Thank you Sam. In fact, I do not “desire” it, but I am trying to understand what (very broadly defined) level of privacy Discourse provides, and it seems that the best setup is a public setup where you assume everything is public by default.

(Gerhard Schlager) #4

IMHO, on private forums files uploaded by users should only be accessible to authenticated users.
I can’t imagine that using X-Sendfile will use lots of processing power…

(Sam Saffron) #5

it means we need to ship a custom nginx config and build a proxy route, not impossible but annoying to wire up.

if a paying customer pushes us to build this or someone contributes, so be it.

but not on our roadmap for now.