Hiding posted (uploaded in previous IPB versions) images

[Will Munny]

A vital trust bond between me and my membership is my guarantee of privacy. We share pictures of our families, kids, whatever, and don't generally want our faces known in the real world.

After upgrading to IPB 4 I'm horrified to see all these images attached to posts are now visible to guests. The attached images appear to have been converted to links pointing directly to the file in the uploads directory. The permissions to prevent guests from downloading attachments are still correct but now the images are publicly visible. I urgently need to remedy this but I can find no setting in ACP.

[Mark]

Hi Will,

This is actually how images have always worked. If you embed an image into a post, it is rendered in a way that points directly to where to image is stored on disk. The only difference between 3.x and 4.0 is where the replacement is done: in 3.x it was done when displaying the content to the user, 4.0 does it when saving.

Of course we take privacy very seriously and so when images are saved to disk, they are renamed in a way that makes it effectively impossible for them to be located by people without permission to see them.

While it is possible to route images through a script which checks permissions, and indeed this is what we do for non-image files, this has significant downsides for images: firstly it is much less efficient, especially as it negates all benefits of high-performance storage services like Amazon S3 which benefit larger communities, but also there are places where a permission check would fail, for example, if the image is included in a notification email. Furthermore, it actually provides very little benefit. If a member of your community has access to view an image, they can indeed share the URL to that image with someone without permission, but they could also just download the original image and share the image, which of course they'd be able to do even if the image was routed through a permission-checking script. 

It's worth noting, for example, Facebook and other sites work in exactly the same way. If I upload a photo to Facebook and set it to only be accessible to certain users, any one of those users can right-click on the image and obtain the image's URL. But it is so obscure that only a user with permission to start with could get that URL.

I hope that clears it up. Please let me know if you have any other concerns

[Will Munny]

Sure I know, and thank you for clarifying. I'm just trying to think of any way to remedy without just hitting the delete button on ten years worth of uploads. It's going to be a tough one to explain to the membership.