Protect Uploads - download should not be possible without logging in

[graywolf336]

Right now uploads to a Rocket.Chat instance are not protected, meaning anyone can download them without being authenticated. I feel this should be an admin option, to protect or not protect uploads and require an account to download them.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[geekgonecrazy]

Absolutely agree! Almost think it should just default to requiring authentication. Do we want an option? I guess it doesn't hurt...

[graywolf336]

That's what I'm thinking, protected status is enabled by default and admins have the option to allow anyone with a link to download them.

[geekgonecrazy]

Looks like this will involve modifying another meteor module: jalik:ufs and jalik:ufs-gridfs Maybe to let us pass in some middleware which we could use to check for a Meteor.userId()

[geekgonecrazy]

Disregard ;-)

https://github.com/jalik/jalik-ufs/#setting-permissions looks to be exactly what I was talking about

[gmsecrieru]

I have started working on this but could not find a way to detect if the request for the file is coming from an authenticated user. I wonder if that is related to the way the file endpoint is defined on jalik:ufs

Any pro-tips @RocketChat/owners ?

[GaWr26]

Is there any progress on this issue as it is crucial to our implementation? I tried disabling file upload in admin settings but with no effect. Still able to upload files when set to false..

[gmsecrieru]

@FlashGuy22 this should be ready by tomorrow.

[Againstreality]

What happens here this is an issue if companys should use it.

[Megatronic79]

Version 0.10 of RC it seems image uploads is broken? Version 0.9 I had this same issue if protected was turned on but in this version "on or off" the preview is missing

on upload and if you download the from the link it is corrupt. can anyone else reproduce this error?

[k0nsl]

@Megatronic79

Yes, I can reproduce it.

[k0nsl]

This is the output I see in the terminal:

I20151221-23:11:44.758(-5)? { '0': 
I20151221-23:11:44.758(-5)?    { _id: 'KdYeasz3cdiJvNvxY',
I20151221-23:11:44.758(-5)?      name: 'System Monitor_025.png',
I20151221-23:11:44.787(-5)?      size: 58048,
I20151221-23:11:44.788(-5)?      type: 'image/png',
I20151221-23:11:44.788(-5)?      rid: 'hxK6cr57Gwo2oG7jL',
I20151221-23:11:44.788(-5)?      complete: true,
I20151221-23:11:44.788(-5)?      uploading: false,
I20151221-23:11:44.788(-5)?      store: 'rocketchat_uploads',
I20151221-23:11:44.788(-5)?      extension: 'png',
I20151221-23:11:44.789(-5)?      userId: '4mkpxoqXtfq2utqEC',
I20151221-23:11:44.789(-5)?      uploadedAt: Mon Dec 21 2015 23:11:44 GMT-0500 (EST),
I20151221-23:11:44.790(-5)?      url: 'https://192.168.1.90/ufs/rocketchat_uploads/KdYeasz3cdiJvNvxY/System Monitor_025.png' } }
I20151221-23:11:45.289(-5)? stream.permissions.read EequjtQvjA8Lfe8oF hxK6cr57Gwo2oG7jL
I20151221-23:11:45.292(-5)? stream.permissions.read EequjtQvjA8Lfe8oF hxK6cr57Gwo2oG7jL
I20151221-23:11:45.293(-5)? stream.permissions.read kR2dmCrtsvSBzGunn hxK6cr57Gwo2oG7jL
I20151221-23:11:45.295(-5)? stream.permissions.read 4mkpxoqXtfq2utqEC hxK6cr57Gwo2oG7jL

This error crops up with code pulled only five minutes ago and the issue itself has persisted for about two or three days.

[engelgabriel]

Are guys running version v0.10.1 ?

[Megatronic79]

I updated to 10.1 and its working fine for me now.

Only thing is when I download an image from the windows client it spawns another client to download then leaves it open see below:

[k0nsl]

@engelgabriel: I'm on whatever version is the most current. I pull home the new code from development branch once a day.

[engelgabriel]

@Megatronic79 can you open an issue on our Electron project?

@k0nsl how are you installing it? Are you using docker, meteor build or just just meteor?
What do you get on your https://demo.rocket.chat/api/info ?

[k0nsl]

@engelgabriel
My current routine looks like this:

[initiate a new screen session]

screen -S rocket.chat

Fetch latest code from the primary branch:

git fetch --all && git reset --hard origin/develop

Start it up:

meteor

...then detach screen, sit back and (hopefully) enjoy the result ;)

[EDIT]

The output of /api/info is:

{
  "version": "0.10.1",
  "compile": {
    "date": "2015-12-22T04:10:45.798Z",
    "nodeVersion": "v0.10.40",
    "arch": "x64",
    "platform": "linux",
    "osRelease": "3.16.0-4-amd64",
    "totalMemmory": 4157698048,
    "freeMemmory": 1376940032,
    "cpus": 8
  },
  "commit": {
    "hash": "c32ccf901348cb9194c6d55193cd21a9b0981e08",
    "date": "Tue Dec 22 00:01:40 2015 -0200",
    "author": "Marcelo Schmidt",
    "subject": "Show room topic"
  },
  "tag": "v0.10.1",
  "branch": "master",
  "GraphicsMagick": {
    "enabled": false
  },
  "ImageMagick": {
    "enabled": false
  }
}

[engelgabriel]

@k0nsl what port are you running Rocket.Chat on? Meteor runs on 3000 by default, but you url: 'https://192.168.1.90/ufs/rocketchat_uploads/KdYeasz3cdiJvNvxY/System Monitor_025.png' has no port.

What is your Site URL config on your admin panel?

[engelgabriel]

@sampaiodiego just explained, the problem is the "space" in the file name. He is fixing it.

[engelgabriel]

this is now fixed on v0.10.2

Please reopen otherwize.