Description
Feature Description
At the moment, any attachment you upload on a gitea instance will be publicly available,
i.e. https://try.gitea.io/attachments/a35cb41a-1afe-4415-bb8c-6058e29e9e21.
This is not always a good idea, as sometimes attachments are files that should be hidden from the public, i.e. personal information or security concerns.
This is especially a requirement for private issues, as otherwise no attachments can be safely shared.
Proposal
In addition to the existing upload mechanism that uploads to /attachments/<UUID>, we should add a second mechanism that returns 404 if the user is not allowed to read this attachment.
I can think of two possible implementations for the backend:
- Add a separate path structure
/attachments/private/<context>/UUIDto store private attachments, where<context>can be for example<user>/<repo>/<comment-id> - Add a proxy before returning the attachment that stores in the db the necessary information for private attachments, i.e.
type AttachmentInfo struct {
ID int64
AttachmentID string `xorm:"UNIQUE"`
RepoID int64
PosterID int64Then, if no attachment info exists, the attachment is public, and otherwise the user must be the poster of this attachment, or have (at least) read access to issues (and PRs) on this repo.
The edge case attachmentInfo exists (=> attachment is private) && user is not logged in should probably still result in not showing the attachment, as a private attachment should always mean "only logged in users can see it", otherwise it could also be public.
The problem with this feature are especially two points:
- What UI would result in a good user experience for this?
- How to avoid performance problems? Every query for an attachment now needs a database query…