diff --git a/app/controllers/uploads_controller.rb b/app/controllers/uploads_controller.rb index 3eeb85e7149..31a13228541 100644 --- a/app/controllers/uploads_controller.rb +++ b/app/controllers/uploads_controller.rb @@ -168,6 +168,7 @@ class UploadsController < ApplicationController def handle_secure_upload_request(upload, path_with_ext = nil) if upload.access_control_post_id.present? + raise Discourse::InvalidAccess if current_user.nil? && SiteSetting.login_required raise Discourse::InvalidAccess if !guardian.can_see?(upload.access_control_post) else return render_404 if current_user.nil? diff --git a/spec/requests/uploads_controller_spec.rb b/spec/requests/uploads_controller_spec.rb index e9eb59ea579..815bcfc828e 100644 --- a/spec/requests/uploads_controller_spec.rb +++ b/spec/requests/uploads_controller_spec.rb @@ -581,6 +581,20 @@ RSpec.describe UploadsController do end end + context "when login is required and user is not signed in" do + let(:post) { Fabricate(:post) } + + before do + SiteSetting.login_required = true + upload.update(access_control_post_id: post.id) + end + + it "returns a 403" do + get secure_url + expect(response.status).to eq(403) + end + end + context "when the prevent_anons_from_downloading_files setting is enabled and the user is anon" do before { SiteSetting.prevent_anons_from_downloading_files = true }