Make uploaded files private...?


  • I would like to make access to files uploaded to my NodeBB private. I found this short thread that suggests the option to "Make uploaded files private" will do exactly this: Make Uploaded Files Private Setting Explanation

    However, as far as I can determine, enabling this setting has no effect. If I upload a file, I can copy its URL, and access it from anywhere. Is there something I'm missing?

    I've got NodeBB 1.5.1 installed on a windows machine (with Node 4.4.3). Is there anything more that should be done to enable this feature, beyond flipping a simple switch in the settings, or does it not actually do what I think it does?

    I tried the asset manager plugin referenced at the end of the above thread, but it appears to be unmaintained, and hasn't worked since at least NodeBB 1.1.2.

    Any suggestions?

  • NodeBB

    That setting just prevents users that are not logged in from accesing the files.


  • Right...that's what I was hoping it would do. But it's not happening for me (i.e., I can access the URL to an uploaded file from anywhere, without being logged-in). What might I be missing?

  • Global Moderator

    If it does, then that's a bug. Open an issue on Github.

  • NodeBB

    @mgl What are the urls of the uploads?


  • They end up something like: http://hostname:4567/mynodebb/assets/uploads/files/abc.pdf

    (Edit: actually, they all get prefixed with a random string timestamp in milliseconds, so it's more like http://hostname:4567/mynodebb/assets/uploads/files/1496954435705-abc.pdf)

  • NodeBB


  • @baris, many thanks.

    I'm curious though...what would it take to apply group-level permissions? Is that something that the asset manager plugin would offer, if it were functional?


  • Sorry for the "necro", but I have the same question about group-level permissions with my actual work with nodebb 1.10.1...

    First example :

    • I create a category "Toto" only visible and accessible to a group "groupOK".
    • I create a topic "Coucou" in it with a file "try.pdf" uploaded in the post.
    • A user not member of "groupOK" can't see this category "Toto" (good), can't see the topic "Coucou" (good), but if he knows the full url of "try.pdf", he can access it : it's not good...

    Uploaded files should inherit access laws from their parents. No ?

    Another example :

    • I create a category "Tata".
    • I create a sub-category "Gigi" which is an "external link" to a file "gigi.pdf" that I directly uploaded to the server (url in the external link field : /assets/uploads/files/gigi.pdf). I put privileges on this sub-category to make it not visible and not accessible if user is not in a group "groupOK".
    • A user not member of "groupOK" can't see this sub-category "Gigi" (good), but if he knows the full url of "gigi.pdf", he can access it : it's not good...

    Is it a bug ? Or I must make a plugin to control access on uploaded files ? If yes, any useful info would be cool (about hook, etc...)... 😉


  • @baris said in Make uploaded files private...?:

    That setting just prevents users that are not logged in from accesing the files.

    is it possible to have both public and private file uploads on the forum?

    Now, I see that ACP asks for the file extension to make private, however in our case we want most of the pdfs to be public, but sometimes there are some pdfs that contains personal contact information which we do not want to expose outside so easily.

    Would it be possible (or easy) to create different upload buttons/systems for public or private files?

    The same question for urls... Is it possible to create private url? Sometimes, we share box/dropbox links to download some files, I think it would be better if those "url"s are not seen publicly.

  • Community Rep

    Old thread but I wonder if consideration has been given to the potential for abuse with such a scheme? Or is/was it your intention to create a warez depo??


  • @gotwf said in Make uploaded files private...?:

    Old thread but I wonder if consideration has been given to the potential for abuse with such a scheme? Or is/was it your intention to create a warez depo??

    Sorry, I was not sure... Is this question for me to answer? Or to the first user on the topic?

  • Community Rep

    @crazycells Nope. Not unless you feel the urge/need. I was making more of a generic comment pointing out a potential pitfall. Cuz there's always a sub population of miscreants who will try to exploit the hard work of others for jollies, profit, etc. ✌

Suggested Topics

| |