FEATURE: Secure uploads in PMs only (#23398)

This adds a new secure_uploads_pm_only site setting. When secure_uploads is true with this setting, only uploads created in PMs will be marked secure; no uploads in secure categories will be marked as secure, and the login_required site setting has no bearing on upload security either. This is meant to be a stopgap solution to prevent secure uploads in a single place (private messages) for sensitive admin data exports. Ideally we would want a more comprehensive way of saying that certain upload types get secured which is a hybrid/mixed mode secure uploads, but for now this will do the trick.
2025-05-29 01:31:35 +08:00 · 2023-09-06 09:39:09 +10:00
parent de9b567c19
commit c532f6eb3d
14 changed files with 283 additions and 43 deletions
--- a/spec/system/s3_uploads_spec.rb
+++ b/spec/system/s3_uploads_spec.rb
@ -5,10 +5,9 @@ describe "Uploading files in the composer to S3", type: :system do

  let(:modal) { PageObjects::Modals::Base.new }
  let(:composer) { PageObjects::Components::Composer.new }
+  let(:topic) { PageObjects::Pages::Topic.new }

  describe "direct S3 uploads" do
-    before { SiteSetting.enable_direct_s3_uploads = true }
-
    describe "single part uploads" do
      it "uploads custom avatars to S3" do
        skip_unless_s3_system_specs_enabled!
@ -43,7 +42,7 @@ describe "Uploading files in the composer to S3", type: :system do
        setup_s3_system_test
        sign_in(current_user)

-        visit "/new-topic"
+        topic.open_new_topic

        file_path = file_from_fixtures("logo.png", "images").path
        attach_file(file_path) { composer.click_toolbar_button("upload") }