Images: Updated access to consider public secure_restricted

ssddanbrown · ssddanbrown · commit 73c6bf4f8dee · 2025-11-21T12:09:25.000Z
Had prevented public access for images when secure_restricted images was
enabled (and for just secure images) when app settings allowed public
access.

This considers the app public setting, and adds tests to cover extra
scenarios to prevent regression.
diff --git a/app/Uploads/ImageService.php b/app/Uploads/ImageService.php
@@ -264,7 +264,7 @@ public function pathAccessible(string $imagePath): bool
             return false;
         }
 
-        if ($this->storage->usingSecureImages() && user()->isGuest()) {
+        if ($this->blockedBySecureImages()) {
             return false;
         }
 
@@ -280,13 +280,24 @@ public function imageAccessible(Image $image): bool
             return false;
         }
 
-        if ($this->storage->usingSecureImages() && user()->isGuest()) {
+        if ($this->blockedBySecureImages()) {
             return false;
         }
 
         return $this->imageFileExists($image->path, $image->type);
     }
 
+    /**
+     * Check if the current user should be blocked from accessing images based on if secure images are enabled
+     * and if public access is enabled for the application.
+     */
+    protected function blockedBySecureImages(): bool
+    {
+        $enforced = $this->storage->usingSecureImages() && !setting('app-public');
+
+        return $enforced && user()->isGuest();
+    }
+
     /**
      * Check if the given image path exists for the given image type and that it is likely an image file.
      */
diff --git a/app/Uploads/ImageStorage.php b/app/Uploads/ImageStorage.php
@@ -74,7 +74,7 @@ protected function getDiskName(string $imageType): string
             return 'local';
         }
 
-        // Rename local_secure options to get our image specific storage driver which
+        // Rename local_secure options to get our image-specific storage driver, which
         // is scoped to the relevant image directories.
         if ($localSecureInUse) {
             return 'local_secure_images';
diff --git a/tests/Uploads/ImageTest.php b/tests/Uploads/ImageTest.php
@@ -5,6 +5,8 @@
 use BookStack\Entities\Repos\PageRepo;
 use BookStack\Uploads\Image;
 use BookStack\Uploads\ImageService;
+use BookStack\Uploads\UserAvatars;
+use BookStack\Users\Models\Role;
 use Illuminate\Support\Str;
 use Tests\TestCase;
 
@@ -467,6 +469,26 @@ public function test_system_images_remain_public_with_local_secure_restricted()
         }
     }
 
+    public function test_avatar_images_visible_only_when_public_access_enabled_with_local_secure_restricted()
+    {
+        config()->set('filesystems.images', 'local_secure_restricted');
+        $user = $this->users->admin();
+        $avatars = $this->app->make(UserAvatars::class);
+        $avatars->assignToUserFromExistingData($user, $this->files->pngImageData(), 'png');
+
+        $avatarUrl = $user->getAvatar();
+
+        $resp = $this->get($avatarUrl);
+        $resp->assertRedirect('/login');
+
+        $this->permissions->makeAppPublic();
+
+        $resp = $this->get($avatarUrl);
+        $resp->assertOk();
+
+        $this->files->deleteAtRelativePath($user->avatar->path);
+    }
+
     public function test_secure_restricted_images_inaccessible_without_relation_permission()
     {
         config()->set('filesystems.images', 'local_secure_restricted');
@@ -491,6 +513,38 @@ public function test_secure_restricted_images_inaccessible_without_relation_perm
         }
     }
 
+    public function test_secure_restricted_images_accessible_with_public_guest_access()
+    {
+        config()->set('filesystems.images', 'local_secure_restricted');
+        $this->permissions->makeAppPublic();
+
+        $this->asEditor();
+        $page = $this->entities->page();
+        $this->files->uploadGalleryImageToPage($this, $page);
+        $image = Image::query()->where('type', '=', 'gallery')
+            ->where('uploaded_to', '=', $page->id)
+            ->first();
+
+        $expectedUrl = url($image->path);
+        $expectedPath = storage_path($image->path);
+        auth()->logout();
+
+        $this->get($expectedUrl)->assertOk();
+
+        $this->permissions->setEntityPermissions($page, [], []);
+
+        $resp = $this->get($expectedUrl);
+        $resp->assertNotFound();
+
+        $this->permissions->setEntityPermissions($page, ['view'], [Role::getSystemRole('public')]);
+
+        $this->get($expectedUrl)->assertOk();
+
+        if (file_exists($expectedPath)) {
+            unlink($expectedPath);
+        }
+    }
+
     public function test_thumbnail_path_handled_by_secure_restricted_images()
     {
         config()->set('filesystems.images', 'local_secure_restricted');

Original file line number	Diff line number	Diff line change
`@@ -264,7 +264,7 @@ public function pathAccessible(string $imagePath): bool`
`264`	`264`	`return false;`
`265`	`265`	`}`
`266`	`266`
`267`		`- if ($this->storage->usingSecureImages() && user()->isGuest()) {`
	`267`	`+ if ($this->blockedBySecureImages()) {`
`268`	`268`	`return false;`
`269`	`269`	`}`
`270`	`270`
`@@ -280,13 +280,24 @@ public function imageAccessible(Image $image): bool`
`280`	`280`	`return false;`
`281`	`281`	`}`
`282`	`282`
`283`		`- if ($this->storage->usingSecureImages() && user()->isGuest()) {`
	`283`	`+ if ($this->blockedBySecureImages()) {`
`284`	`284`	`return false;`
`285`	`285`	`}`
`286`	`286`
`287`	`287`	`return $this->imageFileExists($image->path, $image->type);`
`288`	`288`	`}`
`289`	`289`
	`290`	`+ /**`
	`291`	`+ * Check if the current user should be blocked from accessing images based on if secure images are enabled`
	`292`	`+ * and if public access is enabled for the application.`
	`293`	`+ */`
	`294`	`+ protected function blockedBySecureImages(): bool`
	`295`	`+ {`
	`296`	`+ $enforced = $this->storage->usingSecureImages() && !setting('app-public');`
	`297`	`+`
	`298`	`+ return $enforced && user()->isGuest();`
	`299`	`+ }`
	`300`	`+`
`290`	`301`	`/**`
`291`	`302`	`* Check if the given image path exists for the given image type and that it is likely an image file.`
`292`	`303`	`*/`
Original file line number	Diff line number	Diff line change
`@@ -74,7 +74,7 @@ protected function getDiskName(string $imageType): string`
`74`	`74`	`return 'local';`
`75`	`75`	`}`
`76`	`76`
`77`		`- // Rename local_secure options to get our image specific storage driver which`
	`77`	`+ // Rename local_secure options to get our image-specific storage driver, which`
`78`	`78`	`// is scoped to the relevant image directories.`
`79`	`79`	`if ($localSecureInUse) {`
`80`	`80`	`return 'local_secure_images';`