Issue Description
During a security assessment of our customized Discourse forum, we discovered a potential authentication issue affecting image attachments uploaded within private messages.
Details
-
Upload API: /uploads.json
-
Access URL: /uploads/default/original/1X/{file_name}
-
Reproduction:
-
User uploads an image in a private message (with for_private_message=true).
-
The resulting image can be accessed via a direct link by any third party (including non-logged-in users or users in incognito mode).
-
Security Concern
-
Images uploaded in private messages are expected to be confidential and only accessible to the participants of the conversation.
-
However, as currently implemented, anyone with the direct URL can download these files, regardless of authentication or authorization status.
Questions
-
Is this the intended behavior in the current Discourse implementation?
-
Are there recommended settings or plugins to ensure that private message attachments are properly protected and only visible to authorized users?
-
Has this issue been discussed or addressed in the upstream Discourse project?
-
Are there best practices for securing private uploads in Discourse deployments?
Thank you for your help and advice on this important security concern!