Ghost: images are accessible even from password protected blogs

Its generally best to ask questions like this on Slack (https://ghost.org/slack/) as it says when opening an issue from their template.

That said, its pretty hard to try and assist without more information about your setup. What webserver you're using in front of it, what OS etc. If you ask in the #help channel on slack I'm sure you'll get some help as this issue tracker should only be used for bugs, not support.

Its also worth noting that PostgreSQL support has been deprecated so you'll need to switch soon!

Well it's an issue so it belongs here and for the ghost devs but thanks for taking time to weigh in... Postgres has nothing to do with this issue.

Steps
Go make a ghost blog, password protect it, make a post with an image, grab the image's direct url, go access it.

It should not be accessible. Nothing should be accessible behind a password protected blog.

Hi @ZiiX, thanks for trying out Ghost 😄

Picture urls are still accessible with password protected blogs.

That is by design, the password-protection feature is minimal and is not designed to be highly secure setup - it's primary purpose is to help hide content whilst developing your site.

I would suggest if you want to put absolutely everything behind a password then you set up http-auth in your web server as that will also have the ability to protect images and other static files. It's definitely the better level to be handling static assets in a performant manner

As @jloh mentioned, please head over to our slack team if you need any further support or configuration advice for protecting image files.

@kevinansfield
Slack isn't open source nor searchable from the web to help other Ghost users so no clue why y'all are using that... Also, I'm assuming y'all missed the ethics & communications part of your studies because a meme with a gate and a path around it comes to mind with how a 'private data' feature is expected to keep data private. EVERY SINGLE person I've spoken to thinks your private blog feature is private.
Trust in the feature has now diminished for keeping everything private but helpful for setting things up so thanks for clarifying it is temporary by design.
_*edited to remove end-user thruthful frustration._

@ZiiX I understand that you're frustrated, however this kind of overly negative and aggressive comment is not the way to reach a resolution. I invite you to read our community guidelines before commenting again.

Your comment is also incorrect. Our slack community is both free and searchable for absolutely anyone. You can get an invite to it here: https://slack.ghost.org/ all you need is an email address.

I agree that it is quite unexpected that images are available without needing to provide the password. However I am not aware of a clear use case with Ghost's existing feature set, in which an image URL could be shared in such a way that someone could unexpectedly gain access?

@ErisDS Apologies. My frustration & disappointment got the best of me. I initially sought to point out the truth & an issue per github's community guidelines. Perusing all definitions of private, especially UX-wise, prior to providing constructive feedback the first time and then being told that a so-called private feature is by design flawed to end-user expectations and technically not private.

Maybe putting a time-limit on the unencrypted password may enforce to an end-user that it's temporary as well as calling it something else may help. ...maybe in the same place it's mentioned the password is stored unencrypted that the feature does not protect images. Not all automated bots obey robots text.

As y'all said, it's really not private but temporary so glad this thread can help out others. & my comment concerning slack is correct. I cannot search within slack from external search engines like discourse blogs constructively help other users, etc. Also, it's well documented how slack is horrible for searching and for finding specific topics with problem and solution. It has been a wonderful learning experience trying ghost. Best of luck.