Site assets with anonymous download prevention enabled


(James Milligan) #1

Where should site assets, such as favicons, logos, etc, be uploaded to if the “prevent anons from downloading files” setting is enabled? The help text on that box says the following: Prevent anonymous users from downloading files. WARNING: this will prevent any site assets posted as attachments from working.

I can obviously access the public/images/ folder in the container, but this will get lost on upgrade, right?


(Jeff Atwood) #2

I think @zogstrip did this on click not as a server side validation?


(James Milligan) #3

@codinghorror might be me but I don’t quite understand your reply. Do you mean that Discourse recognises that the image is to be loaded in a public view rather than locked down?


(Kane York) #4

You can stick them in /var/discourse/shared/standalone/images/logo.png and use app.yml to symlink them into /var/www/discourse/public/images/.


(Jeff Atwood) #5

Anyway, images don’t count as files… only attachments (pdf, doc, csv, etc) would count as files. @zogstrip maybe you can clarify?


(James Milligan) #6

Can confirm that images uploaded as attachments to the ‘asset’ thread are visible even to users not logged in.

Might be worth adjusting the text in the settings panel then as it’s a bit misleading?


(Jeff Atwood) #7

OK I just changed it to:

Prevent anonymous users from downloading attachments. WARNING: this will prevent any non-image site assets posted as attachments from working.


(Régis Hanol) #8

Checked in the code and it only prevents attachments from being downloaded :telescope: :crocodile:

This topic is now closed. New replies are no longer allowed.