[PAID-job] Create a plugin to require authentication to access images uploaded to a Discourse server

What would you like done?

We would like a plugin written that, when enabled, provides a tick box for site admins like the existing “prevent anons from downloading files” option but for images.

When ticked this would prevent non-authenticated, anon users from accessing images that are uploaded:

  1. Account Profile Picture
  2. Account Profile Background
  3. Account User Card Background
  4. Any image embedded in a Post apart from images posted as attachments to the automatically created “Assets for the site design” Staff only thread.

If it is too complex, or adds too much overhead, to allow access to the images posted to the “Assets for the site design” thread then this could be omitted as the files could be manually uploaded to the Docker container.

Ideally non-authenticated users would be served a “404 Not Found” HTTP response when accessing a image URL rather than a “403 Forbidden” (as this would allow anon users to discover if images exist or not and would therefore constiture a information leak).

We would like the plugin to be licensed under the same terms as Discourse itself (GPLv2) and we would like the code to be made publically available on GitHub.

We expect the code to adhere to a high standard and reserve the right to delay payment until these standards are met.

Please note that this issue has been discussed previously on this forum and that we are aware that it would cause problems for image links in emails, and for content delivery networks, the Discourse site that this plugin is for doesn’t use a CDN and we can live with potential 404s in HTML emails.

When do you need it done?

We appreciate that this is very short notice but we are in an emergency situation and would ideally like the plugin to be available for testing early next week (we have a testing server) so that it could be deployed by Thursday 2nd November, if this is not possible we would be interested in what timescale you would propose.

What is your budget, in £ GBP that you can offer for this task?

There is currently no set budget for this work, however the client is a charity so a reasonable programming rate would be expected — either an hourly rate or an estimate for the complete task, ideally in £ GBP as we are UK based.

What form would you like quotes to take

We would like some examples of previous Ruby or Discourse programming that has been undertaken and we would like proposals to be sent by email to support@agile.coop.

6 Likes

There is now a plugin available to make images unavailable to non-authenticated users, Discourse Images Guardian, which has been written by @mbcahyono and has been released under the same terms as Discourse (GPLv2):

https://github.com/muhlisbc/discourse-images-guardian

This plugin works by setting a iguard cookie for authenticated users and if this cookie isn’t provided with requests for images a 404 is served. We are very pleased with the quick work @mbcahyono has done on this job and would recommend him for other Discourse plugin programming.

7 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.