Accessing direct asset still works with Storage Asset Presets on Presets only

[flayks]

Preflight Checklist

• I have completed all Troubleshooting Steps.
• I'm on the latest version of Directus.
• There's no other issue that already describes my problem.

Describe the Bug

With the Storage Asset Presets setting set on Presets only, we can still access an URL like https://api.site.tld/assets/5dc1ea10-233b-449f-8d6b-bee77af038fe, allowing to see the original uploaded file. This could be an issue, especially for full size images that we would like to protect?

I know it is not the safest way to leave large size images on the internet, but at least that would be cool to disable this direct link without a key parameter in order to protect this "full size" file? If not, is there a way to restrict it on the front-end side with Caddy or Nginx?

Just an idea.

To Reproduce

Just access an asset url like api.site.tld/assets/5dc1ea10-233b-449f-8d6b-bee77af038fe without any key parameter

Errors Shown

No response

What version of Directus are you using?

9.0.0-rc.98

What version of Node.js are you using?

14.18.0

What database are you using?

MySQL

What browser are you using?

Brave

What operating system are you using?

macOS Big Sur (11)

How are you deploying Directus?

Locally and Docker

[joselcvarela]

Hello @flayks
I cannot reproduce your problem. Didn't you configured any permissions for the public role?

[flayks]

Hello @flayks I cannot reproduce your problem. Didn't you configured any permissions for the public role?

Not particularly, I just use the App Access Minimum preset for the Directus collections:

[flayks]

@joselcvarela After some exploration, I still can access the original asset by removing the key parameter with an access_token in the asset URL 🤔, either with a Custom role or the default Public one