This correctly prevents new users from uploading images before they upload them
Configure Embedded media post allowed groups
Exclude certain groups from the allowed list
When a user not in the allowed groups uploads an image:
The image can appear in the editor
Only when submitting the post is it blocked
Problem
During editing, the user can copy the link of the uploaded image to bypass the upload restriction and post it
Expected Behavior
Our goal is to prevent users from uploading images. Users not in the allowed groups should not be able to insert any embedded media into the editor at all — it should block uploads at the time of uploading, just like when Newuser max embedded media = 0 is applied.
Otherwise they can copy the link of the uploaded image and effectively bypass the restriction to upload it.
I don’t know if this is a new issue, but we just noticed it too:
It seems like the image upload to the S3 bucket (cdck-file-uploads-global.s3.dualstack.us-west-2.amazonaws.com) happens as soon as the image is pasted. The embed check doesn’t happen until the post is submitted, but by then the image already exists in the bucket, and can be linked to with any of the following:
Its S3 URL
Its Discourse short URL
Its generated upload:// URL (i.e., simply removing the ! from the beginning of the autogenerated upload embed code)
I’m worried this means that even failed embeddings (i.e., attempted uploads that were subsequently denied) were still uploaded to the bucket, and are secretly counting against the site’s storage quota even if the uploader thought it was denied and nobody else can see the upload.
