FEATURE: Support private attachments when using S3 storage (#7677)

* Support private uploads in S3 * Use localStore for local avatars * Add job to update private upload ACL on S3 * Test multisite paths * update ACL for private uploads in migrate_to_s3 task
2025-05-31 22:35:03 +08:00 · 2019-06-05 23:27:24 -04:00
parent e0c821ebb0
commit f00275ded3
13 changed files with 240 additions and 9 deletions
--- a/spec/lib/upload_creator_spec.rb
+++ b/spec/lib/upload_creator_spec.rb
@ -170,9 +170,44 @@ RSpec.describe UploadCreator do
      end
    end

+    describe 'private uploads' do
+      let(:filename) { "small.pdf" }
+      let(:file) { file_from_fixtures(filename, "pdf") }
+
+      before do
+        SiteSetting.prevent_anons_from_downloading_files = true
+        SiteSetting.authorized_extensions = 'pdf|svg|jpg'
+      end
+
+      it 'should mark uploads as private' do
+        upload = UploadCreator.new(file, filename).create_for(user.id)
+        stored_upload = Upload.last
+
+        expect(stored_upload.private?).to eq(true)
+      end
+
+      it 'should not mark theme uploads as private' do
+        fname = "custom-theme-icon-sprite.svg"
+        upload = UploadCreator.new(file_from_fixtures(fname), fname, for_theme: true).create_for(-1)
+
+        expect(upload.private?).to eq(false)
+      end
+
+      it 'should not mark image uploads as private' do
+        fname = "logo.jpg"
+        upload = UploadCreator.new(file_from_fixtures(fname), fname).create_for(user.id)
+        stored_upload = Upload.last
+
+        expect(stored_upload.original_filename).to eq(fname)
+        expect(stored_upload.private?).to eq(false)
+      end
+    end
+
    describe 'uploading to s3' do
      let(:filename) { "should_be_jpeg.png" }
      let(:file) { file_from_fixtures(filename) }
+      let(:pdf_filename) { "small.pdf" }
+      let(:pdf_file) { file_from_fixtures(pdf_filename, "pdf") }

      before do
        SiteSetting.s3_upload_bucket = "s3-upload-bucket"
@ -197,6 +232,19 @@ RSpec.describe UploadCreator do

        expect(upload.etag).to eq('ETag')
      end
+
+      it 'should return signed URL for private uploads in S3' do
+        SiteSetting.prevent_anons_from_downloading_files = true
+        SiteSetting.authorized_extensions = 'pdf'
+
+        upload = UploadCreator.new(pdf_file, pdf_filename).create_for(user.id)
+        stored_upload = Upload.last
+        signed_url = Discourse.store.url_for(stored_upload)
+
+        expect(stored_upload.private?).to eq(true)
+        expect(stored_upload.url).not_to eq(signed_url)
+        expect(signed_url).to match(/Amz-Credential/)
+      end
    end
  end
 end