FEATURE: Secure uploads in PMs only (#23398)

This adds a new secure_uploads_pm_only site setting. When secure_uploads is true with this setting, only uploads created in PMs will be marked secure; no uploads in secure categories will be marked as secure, and the login_required site setting has no bearing on upload security either. This is meant to be a stopgap solution to prevent secure uploads in a single place (private messages) for sensitive admin data exports. Ideally we would want a more comprehensive way of saying that certain upload types get secured which is a hybrid/mixed mode secure uploads, but for now this will do the trick.
2025-06-01 08:20:33 +08:00 · 2023-09-06 09:39:09 +10:00
parent de9b567c19
commit c532f6eb3d
14 changed files with 283 additions and 43 deletions
--- a/spec/models/upload_spec.rb
+++ b/spec/models/upload_spec.rb
@ -491,16 +491,38 @@ RSpec.describe Upload do
        SiteSetting.login_required = true
        SiteSetting.authorized_extensions = ""
        expect do
-          upl =
-            Fabricate(
-              :upload,
-              access_control_post: Fabricate(:private_message_post),
-              security_last_changed_at: Time.zone.now,
-              security_last_changed_reason: "test",
-              secure: true,
-            )
+          Fabricate(
+            :upload,
+            access_control_post: Fabricate(:private_message_post),
+            security_last_changed_at: Time.zone.now,
+            security_last_changed_reason: "test",
+            secure: true,
+          )
        end.to raise_error(ActiveRecord::RecordInvalid)
      end
+
+      context "when secure_uploads_pm_only is true" do
+        before { SiteSetting.secure_uploads_pm_only = true }
+
+        it "does not mark an image upload as secure if login_required is enabled" do
+          SiteSetting.login_required = true
+          upload.update!(secure: false)
+          expect { upload.update_secure_status }.not_to change { upload.secure }
+          expect(upload.reload.secure).to eq(false)
+        end
+
+        it "marks the upload as not secure if its access control post is a public post" do
+          upload.update!(secure: true, access_control_post: Fabricate(:post))
+          upload.update_secure_status
+          expect(upload.secure).to eq(false)
+        end
+
+        it "leaves the upload as secure if its access control post is a PM post" do
+          upload.update!(secure: true, access_control_post: Fabricate(:private_message_post))
+          upload.update_secure_status
+          expect(upload.secure).to eq(true)
+        end
+      end
    end
  end