Unauthenticated users can access the files uploaded on Directus

[metalmarco]

• Version of Directus: 8.8.1 • AWS EC2 Amazon Linux 2 - MariaDB 10.4.13 • Steps to Reproduce:

Clean Installation of Directus 8

Login as Admin and upload a file

Make sure Public role has no permission on any custom or system collection

Open a different browser in which the user is unauthenticated and paste the URL to access the file https://{{directus}}/{{project}}/assets/{{filename}}

The file can be viewed/downloaded

The ideal solution for me would be to have a private S3 bucket as storage, not publicly accessible. Directus should check the user permission when requesting an assets/{{filename}}. Maybe the token should be sent as query parameter?

[luglio7]

Images are 99% assets and should be accessible to anyone in my opinion.

[rijkvanzanten]

@luglia that's why

Directus should check the user permission when requesting an assets/{{filename}}.

is a good idea. It allows users that want to have it public to give access to the public role, while allowing others to more finely specify what is accessible and what's not

[DrGrauselGlatz]

If there is anyone searching for a quick solution:

Simply add the auth middleware to the assets route in src/web.php

//$app->get('/{project}/assets/{id}', \Directus\Api\Routes\Assets::class);

$app->group('/{project}', function () use ($middleware) {
    $this->get('/assets/{id}', \Directus\Api\Routes\Assets::class)
        ->add($middleware['auth_user'])
        ->add($middleware['auth'])
        ->add($middleware['table_gateway']);

...

After that the assets url is no longer available with public access.