Private memo attachement available to everyone with the link

[v-sulimov]

Describe the bug

Hello.
I have noticed some behavior that I believe is potentially unsafe.
When I open a private memo that has an attachment, I am able to open the attachment in a separate browser window or tab.
The link to the attachment appears to be: https://domain.memos.com/file/resources/abcdef/doc.pdf.
My concern is that anyone with access to this link could potentially view or download the attached file without authorization. Is this intended behavior, or is it a bug?
Thank you for your attention to this matter.

Steps to reproduce

1. Open a private memo with attachment
2. Copy a link to attachment
3. Open it on any other device

The version of Memos you're using

v0.24.2

Screenshots or additional context

No response

[johnnyjoygh]

@v-sulimov I cannot reproduce it in an incognito window or a logged-out window.

[v-sulimov]

@johnnyjoygh
I double-checked and I was able to reproduce it.
Steps to reproduce (Using Firefox browser):

1. Create a private note with an attachment (for example, a picture)
2. Right-click on the image -> open image in a new tab.
3. Copy the link to this image from the new tab.
4. Try to save the data using curl.

[mdg-pnw]

I was not able to duplicate this in my instance.

I performed the same steps and when I tried to access the resource in a private window or from my terminal I got:
{"code":16, "message":"unauthorized access", "details":[]}

[ganiszulfa]

I wasn't able to reproduce this either. One possible cause I can think of is that you might have Nginx or something else that's serving the file directly, bypassing the Memos permission check? @v-sulimov