diff --git a/public/language/en-GB/admin/settings/uploads.json b/public/language/en-GB/admin/settings/uploads.json index f08b6efedf..e0382bd8da 100644 --- a/public/language/en-GB/admin/settings/uploads.json +++ b/public/language/en-GB/admin/settings/uploads.json @@ -2,6 +2,8 @@ "posts": "Posts", "allow-files": "Allow users to upload regular files", "private": "Make uploaded files private", + "private-extensions": "File extensions to make private", + "private-uploads-extensions-help": "Enter comma-separated list of file extensions to make private here (e.g. pdf,xls,doc). An empty list means all files are private.", "max-image-width": "Resize images down to specified width (in pixels)", "max-image-width-help": "(in pixels, default: 760 pixels, set to 0 to disable)", "resize-image-quality": "Quality to use when resizing images", diff --git a/src/middleware/index.js b/src/middleware/index.js index 0173ecb3c6..5c58771282 100644 --- a/src/middleware/index.js +++ b/src/middleware/index.js @@ -145,8 +145,14 @@ middleware.privateUploads = function (req, res, next) { if (req.loggedIn || parseInt(meta.config.privateUploads, 10) !== 1) { return next(); } + if (req.path.startsWith(nconf.get('relative_path') + '/assets/uploads/files')) { - return res.status(403).json('not-allowed'); + var extensions = (meta.config.privateUploadsExtensions || '').split(',').filter(Boolean); + var ext = path.extname(req.path); + ext = ext ? ext.replace(/^\./, '') : ext; + if (!extensions.length || extensions.includes(ext)) { + return res.status(403).json('not-allowed'); + } } next(); }; diff --git a/src/views/admin/settings/uploads.tpl b/src/views/admin/settings/uploads.tpl index e523c928c5..34d7f96771 100644 --- a/src/views/admin/settings/uploads.tpl +++ b/src/views/admin/settings/uploads.tpl @@ -20,6 +20,14 @@ +
+ + +

+ [[admin/settings/uploads:private-uploads-extensions-help]] +

+
+