Ok so I found the place where Markdown for attachments is generated and as far as I understand the plugin API one cannot (easily) override it (I even think one should not do it).
So my initial thought of adding a ?dl=1 param to those urls seems like the wrong way to do it.
Regarding not-forcing downloads for resolved short-urls: If I understand the argument against public ACLs on S3 buckets correctly, one should either:
- serve files from S3 via a CDN (unfeasible for attachments as @martin pointed, as we may not be able to correctly set the filename for download in this case)
- create a presigned url for the S3 object
But the current behavior does neither and expects the S3 bucket to have a public ACL. This also seems to be the case for supported S3 providers (including amazon), so I’d ask why not make the force_download option in Discourse.store.url_for default to true when resolving short-urls for S3 stores?