-
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve documentation/add-clarification around the storage options and thier permission enforcement, including notice on roles view #3688
Comments
Hi @brynmoorhouse, |
I do, but the page which the image is uploaded to isn't public. |
@brynmoorhouse Yeah, that'll be the cause. This image solution is only enforced when public access is disabled, since this uses the same auth control logic. This is mentioned in our security docs page but maybe we need to also mention this on our file uploads docs page. |
Yeah, this could do with clarifying I guess on this roles view to avoid insecure assumptions.
Sure, I haven't had this as a common request here (Can't find existing issue) but has been requested via some other channels. This issue will remain open, with an aim to clarify the available image security options. I'll update the title for this focus. |
Also updated security docs to be leaner and reference the file-uploads docs for specifics on upload options to reduce docs duplication. Also reformatted storage options overview to be extra clear about the different options. Related to BookStackApp/BookStack#3688
Added to clarify the role permission in scenarios where users may have not read the docs site to understand image access control. Related to #3688
I've now added a notice to the roles view for clarification as part of d867294. All of this will be part of the next feature release. |
Epic, thank you! |
Attempted Debugging
Searched GitHub Issues
Describe the Scenario
This is possibly me misunderstanding the feature, or it might be a bug, but I've enabled the following in my .env
STORAGE_TYPE=local_secure
I've verified that all images are being uploaded to storage/uploads (outside the public directory), but yet I can still enter the direct image URL in an incognito tab to view the image. I'd expect that I'd need to be logged in to view the image?
I did find issue #2998, which is the same scenario, apart from I have not set STORAGE_IMAGE_TYPE at all, which if I've read the docs correctly, means that it will use STORAGE_TYPE
Thanks,
Exact BookStack Version
v22.07.3
Log Content
No response
PHP Version
8.1
Hosting Environment
Debian 10, NGINx, PHP 8.1 fpm
The text was updated successfully, but these errors were encountered: