FIX: Change secure media to encompass attachments as well (#9271)

If the “secure media” site setting is enabled then ALL files uploaded to Discourse (images, video, audio, pdf, txt, zip etc. etc.) will follow the secure media rules. The “prevent anons from downloading files” setting will no longer have any bearing on upload security. Basically, the feature will more appropriately be called “secure uploads” instead of “secure media”. This is being done because there are communities out there that would like all attachments and media to be secure based on category rules but still allow anonymous users to download attachments in public places, which is not possible in the current arrangement.
2025-06-04 23:36:11 +08:00 · 2020-03-26 07:16:02 +10:00
parent 4fa580fbd1
commit 097851c135
16 changed files with 106 additions and 127 deletions
--- a/spec/requests/uploads_controller_multisite_spec.rb
+++ b/spec/requests/uploads_controller_multisite_spec.rb
@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe UploadsController do
+  let!(:user) { Fabricate(:user) }
+
+  describe "#show_short" do
+    describe "s3 store" do
+      let(:upload) { Fabricate(:upload_s3) }
+
+      before do
+        SiteSetting.enable_s3_uploads = true
+        SiteSetting.s3_access_key_id = "fakeid7974664"
+        SiteSetting.s3_secret_access_key = "fakesecretid7974664"
+      end
+
+      context "when upload is secure and secure media enabled" do
+        before do
+          SiteSetting.secure_media = true
+          upload.update(secure: true)
+          stub_request(:head, "https://#{SiteSetting.s3_upload_bucket}.s3.amazonaws.com/")
+        end
+        context "when running on a multisite connection", type: :multisite do
+          it "redirects to the signed_url_for_path with the multisite DB name in the url" do
+            sign_in(user)
+            freeze_time
+            get upload.short_path
+            expect(response.body).to include(RailsMultisite::ConnectionManagement.current_db)
+          end
+        end
+      end
+    end
+  end
+end
--- a/spec/requests/uploads_controller_spec.rb
+++ b/spec/requests/uploads_controller_spec.rb
@ -352,7 +352,7 @@ describe UploadsController do
      end

      it "returns the right response when anon tries to download a file " \
-         "when prevent_anons_from_downloading_files is true" do
+        "when prevent_anons_from_downloading_files is true" do

        delete "/session/#{user.username}.json"
        SiteSetting.prevent_anons_from_downloading_files = true
@ -386,6 +386,7 @@ describe UploadsController do
        end

        it "redirects to the signed_url_for_path" do
+          sign_in(user)
          freeze_time
          get upload.short_path

@ -393,6 +394,7 @@ describe UploadsController do
        end

        it "raises invalid access if the user cannot access the upload access control post" do
+          sign_in(user)
          post = Fabricate(:post)
          post.topic.change_category_to_id(Fabricate(:private_category, group: Fabricate(:group)).id)
          upload.update(access_control_post: post)
@ -400,14 +402,6 @@ describe UploadsController do
          get upload.short_path
          expect(response.code).to eq("403")
        end
-
-        context "when running on a multisite connection", type: :multisite do
-          it "redirects to the signed_url_for_path with the multisite DB name in the url" do
-            freeze_time
-            get upload.short_path
-            expect(response.body).to include(RailsMultisite::ConnectionManagement.current_db)
-          end
-        end
      end
    end
  end
@ -430,10 +424,15 @@ describe UploadsController do

      def sign_in_and_stub_head
        sign_in(user)
+        stub_head
+      end
+
+      def stub_head
        stub_request(:head, "https://#{SiteSetting.s3_upload_bucket}.s3.amazonaws.com/")
      end

      before do
+        SiteSetting.authorized_extensions = "*"
        SiteSetting.enable_s3_uploads = true
        SiteSetting.s3_upload_bucket = "s3-upload-bucket"
        SiteSetting.s3_access_key_id = "fakeid7974664"
@ -508,6 +507,46 @@ describe UploadsController do
        end
      end

+      context "when the upload is an attachment file" do
+        before do
+          upload.update(original_filename: 'test.pdf')
+        end
+        it "redirects to the signed_url_for_path" do
+          sign_in_and_stub_head
+          get secure_url
+          expect(response.status).to eq(302)
+          expect(response.redirect_url).to match("Amz-Expires")
+        end
+
+        context "when the user does not have access to the access control post via guardian" do
+          let(:post) { Fabricate(:post) }
+          let!(:private_category) { Fabricate(:private_category, group: Fabricate(:group)) }
+
+          before do
+            post.topic.change_category_to_id(private_category.id)
+            upload.update(access_control_post_id: post.id)
+          end
+
+          it "returns a 403" do
+            sign_in_and_stub_head
+            get secure_url
+            expect(response.status).to eq(403)
+          end
+        end
+
+        context "when the prevent_anons_from_downloading_files setting is enabled and the user is anon" do
+          before do
+            SiteSetting.prevent_anons_from_downloading_files = true
+          end
+          it "returns a 404" do
+            stub_head
+            delete "/session/#{user.username}.json"
+            get secure_url
+            expect(response.status).to eq(404)
+          end
+        end
+      end
+
      context "when secure media is disabled" do
        before do
          SiteSetting.secure_media = false