Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
FIX: Change secure media to encompass attachments as well #9271
If the “secure media” site setting is enabled then ALL files uploaded to Discourse (images, video, audio, pdf, txt, zip etc. etc.) will follow the secure media rules. The “prevent anons from downloading files” setting will no longer have any bearing on upload security. Basically, the feature will more appropriately be called “secure uploads” instead of “secure media”.
This is being done because there are communities out there that would like all attachments and media to be secure based on category rules but still allow anonymous users to download attachments in public places, which is not possible in the current arrangement.
* when the prevent_anon_from_downloading_files setting was changed we were enqueueing a job that ran through ALL uploads and did update_secure_status. this is unnecessary because prevent_anon has no bearing on secure status. * the only job that needs to be run related to uploads is the uploads:secure_upload_analyse_and_update job, which must be run manually when secure media is changed * also get rid of part of s3 job that was marking uploads with a private acl if prevent_anon_from_downloading_files was enabled, because this does not happen anywhere else in the app
* also do the same if the prevent anons setting is _not_ enabled and the user is anon, because we still don't want anons to get their mitts on uploads where we dont have to post to check if the post is public or not
This pull request has been mentioned on Discourse Meta. There might be relevant details there: