Make uploaded files private...?
I would like to make access to files uploaded to my NodeBB private. I found this short thread that suggests the option to "Make uploaded files private" will do exactly this: Make Uploaded Files Private Setting Explanation
However, as far as I can determine, enabling this setting has no effect. If I upload a file, I can copy its URL, and access it from anywhere. Is there something I'm missing?
I've got NodeBB 1.5.1 installed on a windows machine (with Node 4.4.3). Is there anything more that should be done to enable this feature, beyond flipping a simple switch in the settings, or does it not actually do what I think it does?
I tried the asset manager plugin referenced at the end of the above thread, but it appears to be unmaintained, and hasn't worked since at least NodeBB 1.1.2.
That setting just prevents users that are not logged in from accesing the files.
Right...that's what I was hoping it would do. But it's not happening for me (i.e., I can access the URL to an uploaded file from anywhere, without being logged-in). What might I be missing?
If it does, then that's a bug. Open an issue on Github.
@mgl What are the urls of the uploads?
They end up something like: http://hostname:4567/mynodebb/assets/uploads/files/abc.pdf
(Edit: actually, they all get prefixed with a
random stringtimestamp in milliseconds, so it's more like http://hostname:4567/mynodebb/assets/uploads/files/1496954435705-abc.pdf)
Should be fix here https://github.com/NodeBB/NodeBB/issues/5749
@baris, many thanks.
I'm curious though...what would it take to apply group-level permissions? Is that something that the asset manager plugin would offer, if it were functional?
Sorry for the "necro", but I have the same question about group-level permissions with my actual work with nodebb 1.10.1...
First example :
- I create a category "Toto" only visible and accessible to a group "groupOK".
- I create a topic "Coucou" in it with a file "try.pdf" uploaded in the post.
- A user not member of "groupOK" can't see this category "Toto" (good), can't see the topic "Coucou" (good), but if he knows the full url of "try.pdf", he can access it : it's not good...
Uploaded files should inherit access laws from their parents. No ?
Another example :
- I create a category "Tata".
- I create a sub-category "Gigi" which is an "external link" to a file "gigi.pdf" that I directly uploaded to the server (url in the external link field : /assets/uploads/files/gigi.pdf). I put privileges on this sub-category to make it not visible and not accessible if user is not in a group "groupOK".
- A user not member of "groupOK" can't see this sub-category "Gigi" (good), but if he knows the full url of "gigi.pdf", he can access it : it's not good...
Is it a bug ? Or I must make a plugin to control access on uploaded files ? If yes, any useful info would be cool (about hook, etc...)...