Rocket.chat: [sandstorm] Embedded images don't appear for all users (403)

Grain access to the uploaded file is returning 403 forbidden. Trying to download the same file also result in 403 error.

@jparyani @paulproteus Do you know of any permissions change at the Sandstorm server end in the mean time? TIA

This can be related to #1831 and #2242 - so we will investigate at this end as well.

Error is captured (against a demo instance on oasis) below:

OK.

It looks like we have added a redirect URL with a temporary token in order to prevent the link from being shared outside of Rocket.Chat

Here is one xxx.JPG, after mapped redirect, for S3 storage.

https://s3.amazonaws.com/uploads.rocket.chat/demo.rocket.chat/ioCWyDcDkoTfpzrX3/2urrp3DyDkLxoMAd3/jmcQkvPXHW4iwqWKN?AWSAccessKeyId=AKIAJRT7GK5MCYPBZGKA&Expires=1461976781&Signature=kJpG7dgT2vylglnrh7GvzLGIiko%3D

@sampaiodiego - how is this handled when the storage is _NOT_ S3, (gridfs or filesystem) - Will it still go through a redirect?

I've tested on Microsoft Edge - and with Edge on our DEMO SERVER (not with Sandstorm!) - any uploaded file also does not show ... with EXACT 403 symptom. TIA

@neynah problem solved.

Please go to Menu ... Administration -> File Uploads

And set Protect Uploaded File to FALSE and then save changes.

This should fix the problem.

@sampaiodiego @marceloschmidt - we should consider defaulting this setting to FALSE in future versions.

Additionally, the Sandstorm defaults for this should probably be False, since Sandstorm does this by itself, unless I misunderstand something.

@Sing-Li That worked. Thank you! :)

Hey @Sing-Li - since your existing Sandstorm grain has broken uploads, would you be willing to add a migration to new Rocket.Chat installs so that:

• If it's running on Sandstorm, and
• If the protect files flag is set to true,
• Then set it to false.

That way, at the next Rocket.Chat push to the Sandstorm App Market, when users update to that, their file uploads will get un-broken.

This will (sadly) result in clobbering a user setting. However, that user setting is meaningless within Sandstorm. Given that, it might be sensible to remove the setting (or at least the UI for the setting) altogether when running in Sandstorm.

Curious for your thoughts.

I actually did my testing on an anonymous grain - from an Internet Cafe - on oasis's guest 1 hr demo account. (Man, oasis demo account is SO SLOW now in creating Rocket.Chat! :angry: ) Sorry.

BUT the good news is that we cut new releases every Monday. So when the (normal Sandstorm user, non-devs) folks goes to work again - they'd seen an update with the problem fixed already :)

BTW - the fix will be along the lines of :

if (running in sandstorm)  {

  always consider that setting to be false
  do whatever

}

Plus removing the setting from Sandstorm altogether, perhaps - as you mentioned.

@Sing-Li Which commit fixed this issue for Sandstorm? I only see 4af0d99 which was reverted in 4af0d99 (and anyway didn't fix the problem for existing grains). If this issue isn't fixed I think it should be re-opened.

@kentonv is this still a problem? We can set an environment variable FileUpload_ProtectFiles to false on Sandstorm grains if so.

Image uploads seem to be working in 0.36.2.