search

thedevdojo / voyager

Voyager - The Missing Laravel Admin
https://voyager.devdojo.com
MIT License
11.78k stars 2.67k forks source link

Images uploaded via Voyager Image Formfield type are granted public access by default #5035

Open ankitsabharwal opened 4 years ago

ankitsabharwal commented 4 years ago

Version information

Description

Images are uploaded on S3 with visibility set to 'public' by default even though visibility setting is not made in the config file as shown above

Steps To Reproduce

Steps to reproduce the behavior:

  1. filesystems.php 
        's3' => [
        'driver' => 's3',
        'key' => env('AWS_ACCESS_KEY_ID'),
        'secret' => env('AWS_SECRET_ACCESS_KEY'),
        'region' => env('AWS_DEFAULT_REGION'),
        'bucket' => env('AWS_BUCKET'),
        'url' => env('AWS_CLOUDFRONT_URL'),
    ],
  2. Upload image using the Images formfield type in Voyager dashboard
  3. The uploaded image has been granted public access as shown below: Screenshot 2020-08-04 at 21 03 22

Expected behavior

As the visibility config is not set to 'public' images uploaded by default should not be granted public access. Note: This is not happening for other file types. On uploading pdf files or using the media picker this is working fine. Only, while using the Image formfield in Voyager I am facing this issue.

Additional context

On digging deeper, I saw that while writing the image objects the visibility object has been set to 'public'. On changing this to 'private' the images uploaded are not granted any public access.

https://github.com/the-control-group/voyager/blob/cbf9ceed421e6153323f659d502b5694b16c0b3b/src/Http/Controllers/ContentTypes/Image.php#L59

Also, this throws access denied error when I have blocked public access to the S3 bucket. As images are being uploaded with public access by default if the S3 bucket has 'Block All Public Access' as On, there are access denied errors as expected because Voyager is trying to write objects with 'public' visiblity.

This works perfectly fine while uploading pdf files. Pdf files uploaded through voyager are not granted public access and hence are uploaded successfully without the need of granting public access to the entire bucket (which cannot be given in my usecase)

Am I missing something here? Any help would be appreciated.

ankitsabharwal commented 1 year ago

Still seeing this in the latest 1.6 release. Unable to set security permissions to our S3 buckets and use Cloudfront distributions because of this issue.

Not sure if I am missing something here. Any help will be appreciated. Thank you!