Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Protect Uploads - download should not be possible without logging in #724

Closed
graywolf336 opened this issue Sep 7, 2015 · 22 comments
Closed
Assignees

Comments

@graywolf336
Copy link
Contributor

Right now uploads to a Rocket.Chat instance are not protected, meaning anyone can download them without being authenticated. I feel this should be an admin option, to protect or not protect uploads and require an account to download them.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

@geekgonecrazy
Copy link
Contributor

Absolutely agree! Almost think it should just default to requiring authentication. Do we want an option? I guess it doesn't hurt...

@graywolf336
Copy link
Contributor Author

That's what I'm thinking, protected status is enabled by default and admins have the option to allow anyone with a link to download them.

@geekgonecrazy
Copy link
Contributor

Looks like this will involve modifying another meteor module: jalik:ufs and jalik:ufs-gridfs Maybe to let us pass in some middleware which we could use to check for a Meteor.userId()

@geekgonecrazy
Copy link
Contributor

Disregard ;-)

https://github.com/jalik/jalik-ufs/#setting-permissions looks to be exactly what I was talking about

@gmsecrieru
Copy link
Contributor

I have started working on this but could not find a way to detect if the request for the file is coming from an authenticated user. I wonder if that is related to the way the file endpoint is defined on jalik:ufs

Any pro-tips @RocketChat/owners ?

@GaWr26
Copy link

GaWr26 commented Oct 25, 2015

Is there any progress on this issue as it is crucial to our implementation? I tried disabling file upload in admin settings but with no effect. Still able to upload files when set to false..

@gmsecrieru
Copy link
Contributor

@FlashGuy22 this should be ready by tomorrow.

@gmsecrieru gmsecrieru mentioned this issue Oct 27, 2015
3 tasks
@Sing-Li Sing-Li changed the title Protect Uploads Protect Uploads - download URL should require authentication Nov 19, 2015
@Sing-Li Sing-Li changed the title Protect Uploads - download URL should require authentication Protect Uploads - download URL should not be possible without logging in Nov 19, 2015
@Sing-Li Sing-Li changed the title Protect Uploads - download URL should not be possible without logging in Protect Uploads - download should not be possible without logging in Nov 19, 2015
@Againstreality
Copy link

What happens here this is an issue if companys should use it.

@Megatronic79
Copy link

Version 0.10 of RC it seems image uploads is broken? Version 0.9 I had this same issue if protected was turned on but in this version "on or off" the preview is missing

2015-12-21 18_08_17-start

on upload and if you download the from the link it is corrupt. can anyone else reproduce this error?

@k0nsl
Copy link
Contributor

k0nsl commented Dec 21, 2015

@Megatronic79

Yes, I can reproduce it.
selection_026

@k0nsl
Copy link
Contributor

k0nsl commented Dec 22, 2015

This is the output I see in the terminal:

I20151221-23:11:44.758(-5)? { '0': 
I20151221-23:11:44.758(-5)?    { _id: 'KdYeasz3cdiJvNvxY',
I20151221-23:11:44.758(-5)?      name: 'System Monitor_025.png',
I20151221-23:11:44.787(-5)?      size: 58048,
I20151221-23:11:44.788(-5)?      type: 'image/png',
I20151221-23:11:44.788(-5)?      rid: 'hxK6cr57Gwo2oG7jL',
I20151221-23:11:44.788(-5)?      complete: true,
I20151221-23:11:44.788(-5)?      uploading: false,
I20151221-23:11:44.788(-5)?      store: 'rocketchat_uploads',
I20151221-23:11:44.788(-5)?      extension: 'png',
I20151221-23:11:44.789(-5)?      userId: '4mkpxoqXtfq2utqEC',
I20151221-23:11:44.789(-5)?      uploadedAt: Mon Dec 21 2015 23:11:44 GMT-0500 (EST),
I20151221-23:11:44.790(-5)?      url: 'https://192.168.1.90/ufs/rocketchat_uploads/KdYeasz3cdiJvNvxY/System Monitor_025.png' } }
I20151221-23:11:45.289(-5)? stream.permissions.read EequjtQvjA8Lfe8oF hxK6cr57Gwo2oG7jL
I20151221-23:11:45.292(-5)? stream.permissions.read EequjtQvjA8Lfe8oF hxK6cr57Gwo2oG7jL
I20151221-23:11:45.293(-5)? stream.permissions.read kR2dmCrtsvSBzGunn hxK6cr57Gwo2oG7jL
I20151221-23:11:45.295(-5)? stream.permissions.read 4mkpxoqXtfq2utqEC hxK6cr57Gwo2oG7jL

This error crops up with code pulled only five minutes ago and the issue itself has persisted for about two or three days.

@engelgabriel
Copy link
Member

Are guys running version v0.10.1 ?

@Megatronic79
Copy link

I updated to 10.1 and its working fine for me now.

Only thing is when I download an image from the windows client it spawns another client to download then leaves it open see below:

2015-12-22 10_34_34-microsoft edge

@k0nsl
Copy link
Contributor

k0nsl commented Dec 22, 2015

@engelgabriel: I'm on whatever version is the most current. I pull home the new code from development branch once a day.

@engelgabriel
Copy link
Member

@Megatronic79 can you open an issue on our Electron project?

@k0nsl how are you installing it? Are you using docker, meteor build or just just meteor?
What do you get on your https://demo.rocket.chat/api/info ?

@k0nsl
Copy link
Contributor

k0nsl commented Dec 22, 2015

@engelgabriel
My current routine looks like this:

[initiate a new screen session]

screen -S rocket.chat

Fetch latest code from the primary branch:

git fetch --all && git reset --hard origin/develop

Start it up:

meteor

...then detach screen, sit back and (hopefully) enjoy the result ;)

[EDIT]

The output of /api/info is:

{
  "version": "0.10.1",
  "compile": {
    "date": "2015-12-22T04:10:45.798Z",
    "nodeVersion": "v0.10.40",
    "arch": "x64",
    "platform": "linux",
    "osRelease": "3.16.0-4-amd64",
    "totalMemmory": 4157698048,
    "freeMemmory": 1376940032,
    "cpus": 8
  },
  "commit": {
    "hash": "c32ccf901348cb9194c6d55193cd21a9b0981e08",
    "date": "Tue Dec 22 00:01:40 2015 -0200",
    "author": "Marcelo Schmidt",
    "subject": "Show room topic"
  },
  "tag": "v0.10.1",
  "branch": "master",
  "GraphicsMagick": {
    "enabled": false
  },
  "ImageMagick": {
    "enabled": false
  }
}

@engelgabriel
Copy link
Member

@k0nsl what port are you running Rocket.Chat on? Meteor runs on 3000 by default, but you url: 'https://192.168.1.90/ufs/rocketchat_uploads/KdYeasz3cdiJvNvxY/System Monitor_025.png' has no port.

What is your Site URL config on your admin panel?

@sampaiodiego
Copy link
Member

btw, the method you described is strongly not recommended for production. 😉 (I don't know if it is your test method, but I have to say this)

@k0nsl
Copy link
Contributor

k0nsl commented Dec 22, 2015

@engelgabriel
It actually runs nginx in front of it, as a reverse proxy. I notice that there is no longer any choice to set "GridFS" or "FileSystem" for file storage (et cetera). When uploads still worked I remember using "FileSystem" as the "storage backend".

@sampaiodiego
I've run it this way since day one and I have been with you guys almost since the code came up here on GitHub. At the time the method I'm using seemed the fastest and easiest to get started.

@engelgabriel
Copy link
Member

And are you sure you've tried uploading with the v0.10.1, and not before it? There was a bug on the v0.10.0

@engelgabriel
Copy link
Member

@sampaiodiego just explained, the problem is the "space" in the file name. He is fixing it.

@engelgabriel
Copy link
Member

this is now fixed on v0.10.2

Please reopen otherwize.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

10 participants