Are you saying logged in users are seeing the "Login to view" button instead of the link to the upload?

No, they see the image tags, but images are not loading:

In posts they see the alt-text or the same icon if the image does not have an alt-text:

I've temporarily set some custom extensions for private files instead of all until I get to the bottom of this.

What does the network tab say? Any errors when trying to load those images?

baris I believe it was a 403 from the server with the text "not-allowed" as body response.

One possibility is their JavaScript is disabled or there is a client side error, preventing the images from being turned into the "Login to view" buttons.

This is happening when logged in, and accesing the URL directly does not work either (logged in as well).

Looking at the code here, if there is no extension set then everything will return 403 for guests.

If the user is logged in then it should never reach there at all. Can you add a console.log in that function and test it with a logged in user? Something like the below should help you debug.

middleware.privateUploads = function privateUploads(req, res, next) {
	if (req.loggedIn || !meta.config.privateUploads) {
		return next();
	}

	if (req.path.startsWith(`${nconf.get('relative_path')}/assets/uploads/files`)) {
		const extensions = (meta.config.privateUploadsExtensions || '').split(',').filter(Boolean);
		let ext = path.extname(req.path);
		ext = ext ? ext.replace(/^\./, '') : ext;
		if (!extensions.length || extensions.includes(ext)) {
			console.log(`private upload 403, uid: ${req.uid}, loggedIn: ${req.loggedIn}, path: ${req.path}`);
			return res.status(403).json('not-allowed');
		}
	}
	next();
};

After adding that restart nodebb and check the logs when the issue happens again. For a logged in user the log should never happen.

baris Could this be my reverse proxy caching the 403 result when the user is not logged in and presenting that even after they log in? I'm using nginx but I didn't see any specifics regarding to caching. Maybe I just have an aggressive cache?

Did you make any changes to the default nginx config? Do you have custom plugins running that might interfere?

I'm using nginx proxy manager, looking around this is what they use to cache assets. It should be fairly easy to test if this is the root cause, I will check it later in the day.

I need to migrate from NPM to my own nginx server...