mirror of
https://github.com/discourse/discourse.git
synced 2024-11-30 07:53:39 +08:00
102909edb3
This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
27 lines
779 B
Ruby
27 lines
779 B
Ruby
# frozen_string_literal: true
|
|
|
|
class AddSecureToUploads < ActiveRecord::Migration[5.2]
|
|
def up
|
|
add_column :uploads, :secure, :boolean, default: false, null: false
|
|
|
|
prevent_anons_from_downloading_files = \
|
|
DB.query_single("SELECT value FROM site_settings WHERE name = 'prevent_anons_from_downloading_files'").first == 't'
|
|
|
|
if prevent_anons_from_downloading_files
|
|
execute(
|
|
<<-SQL
|
|
UPDATE uploads SET secure = 't' WHERE id IN (
|
|
SELECT DISTINCT(uploads.id) FROM uploads
|
|
INNER JOIN post_uploads ON post_uploads.upload_id = uploads.id
|
|
WHERE LOWER(original_filename) NOT SIMILAR TO '%\.(jpg|jpeg|png|gif|svg|ico)'
|
|
)
|
|
SQL
|
|
)
|
|
end
|
|
end
|
|
|
|
def down
|
|
remove_column :uploads, :secure
|
|
end
|
|
end
|