Added in the Discourse 2.4 release in February is the Secure Media feature, which provides a higher degree of security for ALL uploads (images, video, audio, text, pdfs, zips, and others) within a Discourse instance.
You must have S3 uploads enabled on your site, which needs the following settings to be filled:
- S3 access key id
- S3 secret access key
- S3 region
- S3 upload bucket
You also must be using an S3 bucket that is NOT Public, and you need to make sure that all existing uploads have a public-read S3 ACL. See the “Enabling Secure Media” below.
After these prerequisites are satisfied you can enable the “secure media” site setting.
Enabling Secure Media
HERE BE DRAGONS
This is an advanced feature and support outside of our Enterprise tier will be limited at best. Only enable secure media if you are an expert user.
To enable secure media, you need to follow these steps:
- Ensure you have S3 uploads configured.
- Take note whether your S3 bucket is Public. If it is, there is an additional step required.
- Run the
uploads:sync_s3_aclsrake task. This will make sure all your uploads have the correct ACL in S3. This is important; if you do step 4 before doing this some uploads may become inaccessible on your forum.
- Make your S3 bucket not Public if it was Public in step 1.
- Enable the “secure media” site setting. Optionally enable the “prevent anons from downloading files” site setting to stop anonymous users downloading attachments from public posts. Any uploads from this time on could possibly be marked as secure depending on the conditions below.
- If you want all uploads retroactively to be analysed and possibly marked as secure, run the
What it does
Once you have enabled Secure Media, any file uploaded via the Composer will either be marked as secure or not secure based on the following criteria:
- If you have the “login required” site setting enabled, all media will be marked as secure, and anonymous users will not be able to access it.
- If you are uploading media within a Private Message, it will be marked as secure.
- If you are uploading media within a Topic that is inside a private Category, it will be marked as secure.
The upload on S3 will have a private ACL, so direct links to the file on S3 will throw a 403 access denied error. Any and all access to secure uploads will be via an S3 presigned URL. This will be hidden to your users though; if an upload is secure any reference to it will be made via the /secure-media-uploads/ Discourse URL.
Permissions and access control
The /secure-media-uploads/ URL will determine whether the current user is allowed to access the media and serve it if they are. When the upload is created, the post that it first appears in will be set to its “access control post” and all permissions will be based on that post.
- If you have the “login required” site setting enabled, anonymous users will always get a 404 error accessing the URL.
- If accessing media whose access control post is a Private Message, the user must be a part of that Private Message topic to access the media, otherwise the user will get a 403 error.
- If accessing media whose access control post is within a topic that is inside a private Category, the user must have access to that category to access the media, otherwise the user will get a 403 error.
Copying /secure-media-uploads/ URLs around between Posts and Topics is unwise, as different users will have different access levels within your Discourse forums. New uploads should always be created via the Composer. Oneboxes and hotlinked images will also respect the secure media rules. Site setting uploads, emojis, and theme uploads are unaffected by secure media, as they must be public.
If an access control post is deleted, the attached upload will no longer be accessible.
Moving posts with secure media
If you move an “access control post” between different security contexts then the upload attached can possibly be changed to secure or not secure. These are the situations which may change security for an upload:
- Changing a topic category. Will cycle through all posts in the topic and update upload security status accordingly.
- Changing a topic between being a public topic and private message. Will do the same as above.
- Moving posts from a topic to a new or existing other topic. Will run the same as the above on the target topic.
At this time secure media is available to our enterprise customers only. Please contact us for more details.