File System Attachments - Access Denied

Description

When you attach a file to a chat - It generate a Link to “https:///file-upload//.”

Clicking on the link returns 403 Access Denied.

Clicking on the “Download” link beside the main link works fine.

Is this a bug or a config issue?

Server Setup Information

  • Version of Rocket.Chat Server: 3.9.1
  • Operating System: Ubuntu 20.04
  • Deployment Method: Docker
  • Number of Running Instances: 1
  • DB Replicaset Oplog: Enabled
  • NodeJS Version:
  • MongoDB Version:
  • Proxy: NGnix
  • Firewalls involved: No

Any additional Information

I’m sorry if I’m bringing up this old topic, but I also have the same issue. It seems to have appeared suddenly after the update of Ubuntu and/or Rocket.Chat (I am now with the latest v6.3.2). I also have a self-hosted deployment on Docker.

Have you by any chance resolved it?

From what I’ve noticed, the difference between clicking on the attachment and the download link seems to be the presence of the parameter “?download” in the generated URL.

In its absence, the downloads return a 403 forbidden error.

Hello,
I have the same problem when I try to open files from the desktop app (on windows). If I’m connect also in web interface (firefox for example) I can open files from desktop app. It’s possible to configure only the download of file, and desactivate open of file ?
Thank in advance

Did you ever sort this out? We are having the same issue after a recent update, currently on 6.4.2.

what type of storage do you use?

In our case we are using GridFS.

I have disabled the “Only authenticated users will have access” option in the settings - File Upload
Снимок экрана от 2023-10-26 09-09-33

after that, the PDF files are opened in the browser, and the rest are simply downloaded

1 Like

I couldn’t believe I had to create an account in this forum to clarify the issue and why no one from rocket.chat is explaining this issue because this is a “feature”. As marlynxlinux already wrote, you need to unset the setting to get access to the files,
but you don’t need to.

As following the steps to reproduce:

  • Open a chat with an attachmant on your Rocket.Chat APP!! not in the browser
  • click on a link to download an uploaded file
  • → you get the 403 error

This means you are not logged in in the browser to your rocket chat instance. If you log in to your rocket chat instance in your browser, then you are authenticated, and you can download the files.

If you unset the setting as marlynxlinux wrote, you can always download files because these links are downloadable from everyone with no auth.

The Bug is that the Rocket.Chat Client will open Documents in the default Browser instead in the RC Client → the browser will then get 403 unless one is logged in there as well.
This is a bug, it should not open this in the Browser if clicked on from the (authenticated) Rocketchat Client.
See also: Downloading files opens default browser, leading to 403 · Issue #227 · RocketChat/Rocket.Chat.Electron · GitHub