FEATURE: Add support for secure media (#7888)

This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2025-05-22 22:43:33 +08:00 · 2019-11-17 20:25:42 -05:00
parent 56b19ba740
commit 102909edb3
40 changed files with 1157 additions and 153 deletions
--- a/spec/requests/uploads_controller_spec.rb
+++ b/spec/requests/uploads_controller_spec.rb
@ -361,6 +361,59 @@ describe UploadsController do
    end
  end

+  describe "#show_secure" do
+    describe "local store" do
+      fab!(:image_upload) { upload_file("smallest.png") }
+
+      it "does not return secure media when using local store" do
+        secure_url = image_upload.url.sub("/uploads", "/secure-media-uploads")
+        get secure_url
+
+        expect(response.status).to eq(404)
+      end
+    end
+
+    describe "s3 store" do
+      let(:upload) { Fabricate(:upload_s3) }
+
+      before do
+        SiteSetting.enable_s3_uploads = true
+        SiteSetting.s3_upload_bucket = "s3-upload-bucket"
+        SiteSetting.s3_access_key_id = "fakeid7974664"
+        SiteSetting.s3_secret_access_key = "fakesecretid7974664"
+        SiteSetting.secure_media = true
+      end
+
+      it "should return 404 for anonymous requests requests" do
+        secure_url = upload.url.sub(SiteSetting.Upload.absolute_base_url, "/secure-media-uploads")
+        get secure_url
+        expect(response.status).to eq(404)
+      end
+
+      it "should return signed url for legitimate request" do
+        secure_url = upload.url.sub(SiteSetting.Upload.absolute_base_url, "/secure-media-uploads")
+        sign_in(user)
+        stub_request(:head, "https://s3-upload-bucket.s3.amazonaws.com/")
+
+        get secure_url
+
+        expect(response.status).to eq(302)
+        expect(response.redirect_url).to match("Amz-Expires")
+      end
+
+      it "should return secure media URL when looking up urls" do
+        upload.update_column(:secure, true)
+        sign_in(user)
+
+        post "/uploads/lookup-urls.json", params: { short_urls: [upload.short_url] }
+        expect(response.status).to eq(200)
+
+        result = JSON.parse(response.body)
+        expect(result[0]["url"]).to match("secure-media-uploads")
+      end
+    end
+  end
+
  describe '#lookup_urls' do
    it 'can look up long urls' do
      sign_in(user)
@ -373,6 +426,42 @@ describe UploadsController do
      expect(result[0]["url"]).to eq(upload.url)
      expect(result[0]["short_path"]).to eq(upload.short_path)
    end
+
+    describe 'secure media' do
+      let(:upload) { Fabricate(:upload_s3, secure: true) }
+
+      before do
+        SiteSetting.authorized_extensions = "pdf|png"
+        SiteSetting.s3_upload_bucket = "s3-upload-bucket"
+        SiteSetting.s3_access_key_id = "s3-access-key-id"
+        SiteSetting.s3_secret_access_key = "s3-secret-access-key"
+        SiteSetting.enable_s3_uploads = true
+        SiteSetting.secure_media = true
+      end
+
+      it 'returns secure url for a secure media upload' do
+        sign_in(user)
+
+        post "/uploads/lookup-urls.json", params: { short_urls: [upload.short_url] }
+        expect(response.status).to eq(200)
+
+        result = JSON.parse(response.body)
+        expect(result[0]["url"]).to match("/secure-media-uploads")
+        expect(result[0]["short_path"]).to eq(upload.short_path)
+      end
+
+      it 'does not return secure urls for non-media uploads' do
+        upload.update!(original_filename: "not-an-image.pdf", extension: "pdf")
+        sign_in(user)
+
+        post "/uploads/lookup-urls.json", params: { short_urls: [upload.short_url] }
+        expect(response.status).to eq(200)
+
+        result = JSON.parse(response.body)
+        expect(result[0]["url"]).not_to match("/secure-media-uploads")
+        expect(result[0]["short_path"]).to eq(upload.short_path)
+      end
+    end
  end

  describe '#metadata' do