Images in posts are publicly accessible even when the post is accessible to paid-members or members only or when the site is private

[TheodoreChu]

Welcome to Ghost's GitHub repo! 👋🎉

We use GitHub only for bug reports 🐛

Anything else should be posted to https://forum.ghost.org 👫

🚨For support, help & questions use https://forum.ghost.org/c/help
💡For feature requests & ideas you can post and vote on https://forum.ghost.org/c/Ideas

If your issue is with Ghost CLI, please report it on the CLI repo ➡️ https://github.com/TryGhost/Ghost-CLI/issues/new.

Issue Summary

If an image in a post is accessible to members or paid-members only, the image is still available at the link (e.g., https://domain.tld/content/images/path/to/image).

To Reproduce

1. Create a post
2. Upload an image into the post
3. Make the post available to paid-members only
4. Publish the post
5. Log into the site as a paid member
6. Visit the post
7. Locate the image
8. Copy the image's location
9. Open a new incognito window in a different browser
10. Paste the image's location into the browser
11. View the image

Also:

Repeat the steps with the site private

Any other info e.g. Why do you consider this to be a bug? What did you expect to happen instead?

This means that non-members and non-paid-members can access restricted content. This is bad for publishers whose content is photographs. It also gives site owners who use the site password feature to protect all their content with a false sense of security.

Technical details:

• Ghost Version: 3.8.0
• Node Version:
• Browser/OS: any
• Database: mysql

[naz]

@TheodoreChu this behaviour is by design as described in older issue here - #7768 (comment). If you see this being a highly needed feature, feel free to open up a topic in "Ideas" category on the community forum - https://forum.ghost.org/c/Ideas.

[label-actions]

Hey @TheodoreChu 👋 We ask that you please do not use GitHub for help or support 😄. We use GitHub solely for bug-tracking and on-going feature development.

Many questions can be answered by reviewing our documentation. If you can't find an answer then our forum is a great place to get community support, plus it helps create a central location for searching problems/solutions.

FYI: Many projects have their own support guidelines and GitHub will highlight them for you as it did here, or the project owners will use issue templates to point you in the right direction. Reading the guidelines or issue templates before opening issues can save you and project maintainers valuable time.