New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Attach attachments of issues/comments in notification emails #15081
Comments
When you say 'absent' do you mean that the attachment link is there but not accessible? From what I observe the linked attachment requires authentication to view it - and of course the email client is not authenticated to Gitea (see screenshot). What could be the workaround? Modify the configuration somehow so that attachments do not require authentication? Of course you would need to accept the security risk of making attachments publicly available. |
The attachment URL is "https://xxxx/team/repo/attachments/222a65d6-b297-4477-bb9b-1c55e46dd4e9", so it won't be displayed unless the repository has public access. The fix can be "Allow anonymous to access attachments in non-public repositories", but I do not know whether this change affects security concerns. From my side, I think it's OK. |
Another more secure design can be: Add a When a attachment should be accessed without authentication, use a URL like "http://.../attachments/xxxxx?timestamp=yyyyyy&sign=zzzzzzzz", the sign is calculated by secret_seed and timestamp. But this mechanism is too complex. "Allow anonymous to access attachments in non-public repositories" seems enough. |
Is the idea with this option that the link has a brief lifetime of when it will work? Similar to an Amazon S3 presigned URL that expires after 7 days? I can see how that could help with reducing exposure to possible URL guessing attacks (although attachments being GUIDs already makes that type of attack difficult)
I would agree. Allow the admin to decide whether the convenience of rendering attachments unauthenticated is worth the security tradeoff. |
I don't think this is the best resolution. The link maybe not visited from users' computer directly. And the gitea service maybe stopped because of maintain. I would like embed files in email if it's an image or attachment files in email. |
@lunny I just tried on GitHub. What GitHub does is the simple solution: do not limit attachment access. For example, I uploaded an attachment into my private repository on GitHub, the attachment can be accessed anonymously: https://user-images.githubusercontent.com/2114189/132302915-624237f7-54f9-42c4-8d19-ba9034bf433d.png So I think it's still reasonable to use the simple mechanism. |
Yes, the |
the best simple way maybe image embed in content by base64 data directly.
https://www.w3docs.com/snippets/html/how-to-display-base64-images-in-html.html |
When post issues or comments with attachments, some notification emails will be sent to related users. But the attachments is absent.
The text was updated successfully, but these errors were encountered: