Group level permissions for uploaded files?

Technical Support
  • There's some mention of this previously (at the bottom of: Re: Make uploaded files private...?.

    Basically is there any way to make uploaded files only accessible to members of a specific group? At the moment any registered user can access any uploaded file if they have the correct link.

    Using: NodeBB v1.11.0.


  • Ah. This limitation is troubling me a lot....I'm surprised it doesn't trouble others...

    Guess I'll just start investigating how to implement it myself.

    Any pointers appreciated. 👍

  • You haven't really described how this would work. Who can view who's uploaded files? What happens when multiple groups are involved?

  • @PitaJ

    No worries I can explain:

    I've set up a category (Data Technology Team) that I only want one group (NTG Data Tech Team) to access:


    I've set up permissions so only group members can access the private category:


    I've created a post in the private category and uploaded an image into that post:


    I can right click on that image and save a link to it's address:

    If ANYBODY has that address they can access the picture.

    I'd like to be able to tell users that only group members can access that picture, even if an unauthorised person discovers a link to it.

    This extra level of security creates peace of mind when posting private material.

    I guess it would be nice to have an extra column in the privileges configuration panel that allows/disallows access to uploads associated with each category. That way you can control which group(s) or users can access them.

    (I noticed that the nodebb-plugin-poll adds an extra column in the privileges configuration section....maybe a plugin could solve this problem)

    Otherwise, everything is perfect!

  • @quokka @PitaJ
    I need exactly the same thing ! 😉

  • @alfazaz

    Ah well. I guess we can assume that this isn't a problem for most. I'm going to stick with NodeBB for public facing posts (It is a forum after all).

    For sharing sensitive data I'm going to use other more secure platforms (Nextcloud).

    Good luck!

Suggested Topics

  • 1 Votes
    6 Posts

    Finally getting back around to testing this, still not having much luck. After digging through a lot of the code, and reading through the unit tests for the /api/post/upload endpoint, a user is logged in first.

    I have been trying to do this with only an API token, as this process is loading data from another system. I really don't want to have to store a password in addition to an API token when doing my data load.

    I guess my next question is: Is /api/post/upload even usable without logging in with a username/password?

  • 0 Votes
    7 Posts

    Okay so just to confirm this is caused by an error in sharp, try creating a file called test-sharp.js in your nodebb directory with the following contents:

    'use strict'; const fs = require('fs/promises'); const sharp = require('sharp'); async function run() { const input = await fs.readFile('public/logo.png'); await sharp(input) .resize({ width: 100 }) .toFile('build/public/logo.png'); } run().then(() => {}, err => setTimeout(() => { throw err; }, 0));

    Then run it like node test-sharp.js. It should create the file build/public/logo.png. Check the exit code with echo $?.

  • Moderator Permissions

    Technical Support
    0 Votes
    5 Posts

    It is actually planned:
    Two of the permissions that are supposed to be split are Global account info access and
    Global user sessions access.
    Unfortunately, there seems to be no ETA, and the issue is from 2017, so it might take some time before it's added... But there is hope 🙂

  • 0 Votes
    3 Posts

    You could also just make a new location block that points to to .well-known location on your disk.

    I have my main forums ( under /var/www/nodebb/forums, and then have the under /var/www/.well-known

  • 0 Votes
    1 Posts

    After installing NodeBB I've been trying to configure Emoji. I've installed nodebb-plugin-emoji-extended and nodebb-plugin-emoji-one through the admin interface and have also activated them. But in the front-end the smiley selection button above the messages box does not appear.

    I've tried running "Update Files" in the ACP, which doesn't seem to be working. Popping up the console, I see various errors stating "GET net::ERR_CONNECTION_REFUSED" (from acp.min.js?v=a114ca78-1b00-48b4-8cb1-6d5fb06836f3:5).

    Help would be much appreciated.