Make uploaded files private...?
They end up something like: http://hostname:4567/mynodebb/assets/uploads/files/abc.pdf
(Edit: actually, they all get prefixed with a
random stringtimestamp in milliseconds, so it's more like http://hostname:4567/mynodebb/assets/uploads/files/1496954435705-abc.pdf)
Sorry for the "necro", but I have the same question about group-level permissions with my actual work with nodebb 1.10.1...
First example :
- I create a category "Toto" only visible and accessible to a group "groupOK".
- I create a topic "Coucou" in it with a file "try.pdf" uploaded in the post.
- A user not member of "groupOK" can't see this category "Toto" (good), can't see the topic "Coucou" (good), but if he knows the full url of "try.pdf", he can access it : it's not good...
Uploaded files should inherit access laws from their parents. No ?
Another example :
- I create a category "Tata".
- I create a sub-category "Gigi" which is an "external link" to a file "gigi.pdf" that I directly uploaded to the server (url in the external link field : /assets/uploads/files/gigi.pdf). I put privileges on this sub-category to make it not visible and not accessible if user is not in a group "groupOK".
- A user not member of "groupOK" can't see this sub-category "Gigi" (good), but if he knows the full url of "gigi.pdf", he can access it : it's not good...
Is it a bug ? Or I must make a plugin to control access on uploaded files ? If yes, any useful info would be cool (about hook, etc...)...
That setting just prevents users that are not logged in from accesing the files.
is it possible to have both public and private file uploads on the forum?
Now, I see that ACP asks for the file extension to make private, however in our case we want most of the pdfs to be public, but sometimes there are some pdfs that contains personal contact information which we do not want to expose outside so easily.
Would it be possible (or easy) to create different upload buttons/systems for public or private files?
The same question for urls... Is it possible to create private url? Sometimes, we share box/dropbox links to download some files, I think it would be better if those "url"s are not seen publicly.
@crazycells Nope. Not unless you feel the urge/need. I was making more of a generic comment pointing out a potential pitfall. Cuz there's always a sub population of miscreants who will try to exploit the hard work of others for jollies, profit, etc.