SECURITY: Prevent guest users from accessing secure uploads when login required

2024-11-29 23:34:10 +08:00 · 2024-01-08 09:53:32 -07:00 · 2024-01-08 09:53:32 -07:00 · edb2630131
commit edb2630131
parent f213ba7c1f
2 changed files with 15 additions and 0 deletions
--- a/app/controllers/uploads_controller.rb
+++ b/app/controllers/uploads_controller.rb
@ -168,6 +168,7 @@ class UploadsController < ApplicationController

  def handle_secure_upload_request(upload, path_with_ext = nil)
    if upload.access_control_post_id.present?
+      raise Discourse::InvalidAccess if current_user.nil? && SiteSetting.login_required
      raise Discourse::InvalidAccess if !guardian.can_see?(upload.access_control_post)
    else
      return render_404 if current_user.nil?
--- a/spec/requests/uploads_controller_spec.rb
+++ b/spec/requests/uploads_controller_spec.rb
@ -581,6 +581,20 @@ RSpec.describe UploadsController do
          end
        end

+        context "when login is required and user is not signed in" do
+          let(:post) { Fabricate(:post) }
+
+          before do
+            SiteSetting.login_required = true
+            upload.update(access_control_post_id: post.id)
+          end
+
+          it "returns a 403" do
+            get secure_url
+            expect(response.status).to eq(403)
+          end
+        end
+
        context "when the prevent_anons_from_downloading_files setting is enabled and the user is anon" do
          before { SiteSetting.prevent_anons_from_downloading_files = true }