Hi All RB users and devs, we've been reported an issue about possibility to access uploaded file even if user is not logged in to RB, using direct link.
Steps to reproduce: - log in to RB - upload some file to review request, copy its URL - log out - paste the URL into browser, example pattern: https://rb_site.com/media/uploaded/files/2021/01/11/9f1bf574-3b3b-4692-a486-9570953c9913__test.txt Expected result: access denied window or authentication window should appear Actual result: you will see content of a file without authorization Is it possible to set up Apache or RB some way to reach the expected result (issue noticed also on RB 4.0 demo)? Regards, Lukasz -- Supercharge your Review Board with Power Pack: https://www.reviewboard.org/powerpack/ Want us to host Review Board for you? Check out RBCommons: https://rbcommons.com/ Happy user? Let us know! https://www.reviewboard.org/users/ --- You received this message because you are subscribed to the Google Groups "Review Board Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to reviewboard+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/reviewboard/a7d888c5-0313-4ae7-a619-13e050620d12n%40googlegroups.com.
