SECURITY: Prevent guest users from accessing secure uploads when login required

app/controllers/uploads_controller.rb

@@ -168,6 +168,7 @@ class UploadsController < ApplicationController
 
   def handle_secure_upload_request(upload, path_with_ext = nil)
     if upload.access_control_post_id.present?
+      raise Discourse::InvalidAccess if current_user.nil? && SiteSetting.login_required
       raise Discourse::InvalidAccess if !guardian.can_see?(upload.access_control_post)
     else
       return render_404 if current_user.nil?

spec/requests/uploads_controller_spec.rb

@@ -578,6 +578,20 @@ RSpec.describe UploadsController do
           end
         end
 
+        context "when login is required and user is not signed in" do
+          let(:post) { Fabricate(:post) }
+
+          before do
+            SiteSetting.login_required = true
+            upload.update(access_control_post_id: post.id)
+          end
+
+          it "returns a 403" do
+            get secure_url
+            expect(response.status).to eq(403)
+          end
+        end
+
         context "when the prevent_anons_from_downloading_files setting is enabled and the user is anon" do
           before { SiteSetting.prevent_anons_from_downloading_files = true }