Orchardcore: Can direct media URLs be disabled?

Created on 14 Oct 2020 · 3Comments · Source: OrchardCMS/OrchardCore

Once the users access the URL of a media file it will be available for everyone and I can't take advantage of my private container (Azure Storage).

I mean ~/media/path-to-blob/blob.jpg is a public URL.

Is it possible to disable downloading media files directly with their URLs?

Source

szilardcsere89

Most helpful comment

We could create a Media Permission module that would create a ViewMedia permission, and check this in the described middleware. Then it could also support folder specific permissions which has been asked too.

Disabling public access would just be about removing ViewMedia from Anonymous.

sebastienros on 15 Oct 2020

👍2

All 3 comments

Duplicate of https://github.com/OrchardCMS/OrchardCore/issues/6027

Not currently supported oob @szilardcsere89 however if you want to implement it suggestions for the implementation detail are on the issue.

Here is some limited middleware I use which secures anything under the path ~/media/secure

    public class SecureMediaMiddleware
    {
        private readonly RequestDelegate _next;
        private readonly ILogger _logger;

        private readonly PathString _assetsRequestPath;

        public SecureMediaMiddleware(
            RequestDelegate next,
            IOptions<MediaOptions> mediaOptions,
            IOptions<UserOptions> userOptions,
            ILogger<SecureMediaMiddleware> logger
            )
        {
            _next = next;
            _logger = logger;

            _assetsRequestPath = mediaOptions.Value.AssetsRequestPath;
        }

        /// <summary>
        /// Secures a media path if request url starts with ~/media/secure
        /// </summary>
        /// <param name="context"></param>
        public async Task Invoke(HttpContext context, IAuthorizationService authorizationService)
        {
            var validateAssetsRequestPath = context.Request.Path.StartsWithNormalizedSegments(_assetsRequestPath, StringComparison.OrdinalIgnoreCase, out var subPath);
            if (!validateAssetsRequestPath)
            {
                _logger.LogDebug("Request path {Path} does not match the assets request path {RequestPath}", subPath, _assetsRequestPath);
                await _next(context);
                return;
            }

            if (subPath.StartsWithNormalizedSegments("/secure"))
            {
                _logger.LogDebug("Request path {SubPath} is secure, authorizing", subPath);
                if (!await authorizationService.AuthorizeAsync(context.User, SecureMediaPermissions.ViewSecureMedia))
                {
                    await context.ChallengeAsync();
                    return;
                }
                _logger.LogDebug("View Media authorization successul");
            }

            // One day if they want thumbnails we could also check the query string for a size of 160
            await _next(context);
            return;
        }
    }

You will need to register app.Use<SecureMediaMiddleware>() this in a module which has a dependency on OrchardCore.Admin to get the middleware loaded in the correct order (needs to be after the standard AuthenticationMiddleware but before the OrchardCore.Media.Middleware)