V8-archive: Unauthenticated users can access the files uploaded on Directus
• Version of Directus: 8.8.1
• AWS EC2 Amazon Linux 2 - MariaDB 10.4.13
• Steps to Reproduce:
Clean Installation of Directus 8
Login as Admin and upload a file
Make sure Public role has no permission on any custom or system collection
Open a different browser in which the user is unauthenticated and paste the URL to access the file https://{{directus}}/{{project}}/assets/{{filename}}
The file can be viewed/downloaded
The ideal solution for me would be to have a private S3 bucket as storage, not publicly accessible.
Directus should check the user permission when requesting an assets/{{filename}}. Maybe the token should be sent as query parameter?
metalmarco
All 3 comments
Images are 99% assets and should be accessible to anyone in my opinion.
luglio7
on 17 Nov 2020
@luglia that's why
Directus should check the user permission when requesting an assets/{{filename}}.
is a good idea. It allows users that want to have it public to give access to the public role, while allowing others to more finely specify what is accessible and what's not
rijkvanzanten
on 17 Nov 2020
If there is anyone searching for a quick solution:
Simply add the auth middleware to the assets route in src/web.php
//$app->get('/{project}/assets/{id}', \Directus\Api\Routes\Assets::class);
$app->group('/{project}', function () use ($middleware) {
$this->get('/assets/{id}', \Directus\Api\Routes\Assets::class)
->add($middleware['auth_user'])
->add($middleware['auth'])
->add($middleware['table_gateway']);
...
After that the assets url is no longer available with public access.
DrGrauselGlatz
on 1 Dec 2021
Related issues
Nitwel
·
3Comments
ondronix
·
3Comments
rijkvanzanten
·
3Comments
cdwmhcc
·
3Comments
benhaynes
·
4Comments
Most helpful comment
@luglia that's why
is a good idea. It allows users that want to have it public to give access to the public role, while allowing others to more finely specify what is accessible and what's not