Private attachments not allowed by users
Uncategorized
11
Beiträge
2
Kommentatoren
6
Aufrufe
-
Hello!
I've set up a new forum myself using NodeBB and I have an issue with uploads, I've enabled private attachments and my users experience missing images/attachments from time to time. If they access the file directly they get
"not-allowed", but I can see the file in the ACP upload manager.I have a regular user where I test out stuff and it's happening to that user as well, so far my only hint (but I am not 100% sure) is that this starts happening after editing a post, It doesn't seem to happen to my user due to caches (I guess!).
I have tried to search if someone else experienced the same but couldn't find anything.
-
S support@community.nodebb.org shared this topic
-
Are you saying logged in users are seeing the "Login to view" button instead of the link to the upload?
-
No, they see the image tags, but images are not loading:
In posts they see the alt-text or the same icon if the image does not have an alt-text:
I've temporarily set some custom extensions for private files instead of all until I get to the bottom of this.
-
What does the network tab say? Any errors when trying to load those images?
-
baris I believe it was a 403 from the server with the text
"not-allowed"as body response. -
One possibility is their JavaScript is disabled or there is a client side error, preventing the images from being turned into the "Login to view" buttons.
-
This is happening when logged in, and accesing the URL directly does not work either (logged in as well).
-
Looking at the code here, if there is no extension set then everything will return 403 for guests.
If the user is logged in then it should never reach there at all. Can you add a console.log in that function and test it with a logged in user? Something like the below should help you debug.
middleware.privateUploads = function privateUploads(req, res, next) { if (req.loggedIn || !meta.config.privateUploads) { return next(); } if (req.path.startsWith(`${nconf.get('relative_path')}/assets/uploads/files`)) { const extensions = (meta.config.privateUploadsExtensions || '').split(',').filter(Boolean); let ext = path.extname(req.path); ext = ext ? ext.replace(/^\./, '') : ext; if (!extensions.length || extensions.includes(ext)) { console.log(`private upload 403, uid: ${req.uid}, loggedIn: ${req.loggedIn}, path: ${req.path}`); return res.status(403).json('not-allowed'); } } next(); };After adding that restart nodebb and check the logs when the issue happens again. For a logged in user the log should never happen.
-
baris Could this be my reverse proxy caching the 403 result when the user is not logged in and presenting that even after they log in? I'm using nginx but I didn't see any specifics regarding to caching. Maybe I just have an aggressive cache?
-
Did you make any changes to the default nginx config? Do you have custom plugins running that might interfere?
-
I'm using nginx proxy manager, looking around this is what they use to cache assets. It should be fairly easy to test if this is the root cause, I will check it later in the day.
I need to migrate from NPM to my own nginx server...
