NodeBB icon indicating copy to clipboard operation
NodeBB copied to clipboard
verified publisher icon NodeBB

Refactor uploaded files to distinguish between post, chat, and group uploads

Open julianlam opened this issue 3 years ago • 6 comments

via #10659

  • [ ] When a picture is uploaded, save it to os.tmpdir() + '/nodebb/uploads/{post|chat}'
  • [ ] When the chat message is sent or the post is submitted, move the upload to the appropriate folder (probably as part of posts.uploads.sync())
  • [ ] Save post uploads to public/uploads/post
  • [ ] Save chat uploads to public/uploads/chat
  • [ ] Save group covers to public/uploads/group
  • [ ] Fix the client-side code (that shows post association) to reference the new path
  • Access Controls
    • [ ] For any given upload, check to see if it is in any pid or mid. If so, check access privilege. Otherwise 403.
    • [ ] Remove privateUploads config property
  • Migration
    • [ ] Move all non-orphaned post uploads to the new folder
    • [ ] Read through all sent messages and associate images with mids
    • [ ] Move chat uploads to the new folder
    • [ ] Archive remaining files into a separate folder (for manual deletion)

julianlam avatar Jun 15 '22 23:06 julianlam

🚨 This is a breaking change

Once this issue is completed, the storage location for uploaded files and posts and chat messages will have changed.

There are no API changes

  • Posts will have their uploads stored in public/uploads/files/post
  • Chats will have their uploads stored in public/uploads/files/chat
  • Group covers will be stored in public/uploads/groups
  • The privateUploads option will be removed, it will be enabled by default

julianlam avatar Jun 16 '22 13:06 julianlam

🚨 This is a breaking change

Once this issue is completed, the storage location for uploaded files and posts and chat messages will have changed.

There are no API changes

* Posts will have their uploads stored in `public/uploads/files/post`

* Chats will have their uploads stored in `public/uploads/files/chat`

hi @julianlam , am I correct to assume that we will be able to keep post uploads public and chat uploads private after these changes? I think, currently, the upload privacy setting in ACP does not distinguish between chat/post uploads?

AliCihan avatar Jan 27 '23 19:01 AliCihan

Hm... not really, there's nothing in the aforementioned plan that changes how private uploads are handled.

Right now if private uploads are enabled, the requesting user is a guest, and the file is in the uploads/ folder, then access is denied.

Once this change is made, the files will still have the uploads/ prefix, so the logic is unchanged.

However, I will need to ping @barisusakli for this one... why exactly do we have the privateUploads config option again? It is true that theoretically if a category is private, that the uploaded images would be accessible, but to have them accessible would mean you need to know the upload timestamp and the filename, which makes is essentially unguessable...

Basically, I'm struggling to find a use case for privateUploads. It seems like it would make more sense if each post upload (for example) is associated with a post, and we check to see if the calling user can view the post. Likewise for chat uploads, and group covers.

julianlam avatar Feb 23 '23 20:02 julianlam

Can probably remove privateUploads then, was added 10 years ago 😆 https://github.com/NodeBB/NodeBB/commit/35e2e1462bd68d9bd9b99715d5992c9371c6e862

Also there is some client side code that turns uploads into login to view https://github.com/NodeBB/NodeBB/commit/49e3a368f8a30b65c4574ee9e254438aef26233b

barisusakli avatar Feb 23 '23 20:02 barisusakli

Okay, that's enough justification I need to :axe: the config option :smile:

julianlam avatar Feb 23 '23 20:02 julianlam

Also the private uploads setting doesn't do anything if you use a plugin to store uploads somewhere else

barisusakli avatar Feb 23 '23 20:02 barisusakli