Skip to content

Media files are reachable unauthenticated #17972

New issue
New issue
Closed
#17990
Closed
Media files are reachable unauthenticated#17972
#17990
Assignees
jeremystretch
Labels
severity: highCompletely breaks certain functions, or substantially degrades performance application-widestatus: acceptedThis issue has been accepted for implementationtype: bugA confirmed report of unexpected behavior in the application
@Andres1357

Description

@Andres1357
Andres1357
opened on Nov 8, 2024

Deployment Type

Self-hosted

Triage priority

N/A

NetBox Version

v4.1.6

Python Version

3.12

Steps to Reproduce

  1. Install NetBox v4.1.0 - 4.1.6 and ensure configuration variable LOGIN_REQUIRED = True.
  2. Add an image attachment to any object and get the URL to the image
    (https://yournetbox.com/media/image-attachments/yourimage.png)
  3. Attempt to access that URL while logged out of NetBox.

I've reproduced this in various NetBox versions (4.1.0, 4.1.1, 4.1.5, 4.1.6) both as standalone and in Docker.

It is reproducible using the Documents plugin as well as it also stores files in the media directory (https://yournetbox.com/media/netbox-documents/doc.pdf)

I've also reproduced it on https://netbox-demo.netboxlabs.com, though I can't confirm if that instance has LOGIN_REQUIRED = True.

Expected Behavior

It is my understanding that NetBox should not display the file and instead redirect to the login page if the variable LOGIN_REQUIRED = True. This was the behavior seen on NetBox v4.0.3.

Observed Behavior

NetBox displays the file just as if you were logged in.
image

Metadata

Metadata

Assignees

Labels

severity: highCompletely breaks certain functions, or substantially degrades performance application-widestatus: acceptedThis issue has been accepted for implementationtype: bugA confirmed report of unexpected behavior in the application

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions