Today we began internally trialling a new “secure media” setting, which is only usable if S3 uploads are enabled. What this will do is the following:
- For Discourse instances that have the “login required” setting enabled, all uploads are considered secure, but if the setting is not enabled, only private message uploads are considered secure.
- All securely uploaded media URLs within posts and private messages will no longer directly point to the file, but will go through an endpoint to determine access to the media first based on site settings.
- Secure media in emails are replaced by placeholder text prompting users to log in to the Discourse instance to view the media.
- If an upload has been used in a secure context previously, we do not allow posting the same upload in a public topic.
This setting is currently only available for self-hosted Discourse instances. We will provide further updates once we have completed internal trials.
I use S3-compatible storage, so this will work on most instances I host. Could be useful for business applications, where folks need storage space with a bit more oomph. That list is pretty amazing, for such a feature.