From 35e2e1462bd68d9bd9b99715d5992c9371c6e862 Mon Sep 17 00:00:00 2001
From: barisusakli <barisusakli@gmail.com>
Date: Sun, 26 Oct 2014 17:04:55 -0400
Subject: [PATCH] closes #2295

---
 src/routes/index.js               | 10 ++++++++++
 src/views/admin/settings/post.tpl |  5 +++++
 2 files changed, 15 insertions(+)

diff --git a/src/routes/index.js b/src/routes/index.js
index 5b8bb8d638..c8a8e4d59e 100644
--- a/src/routes/index.js
+++ b/src/routes/index.js
@@ -149,6 +149,16 @@ module.exports = function(app, middleware) {
 		require('./debug')(app, middleware, controllers);
 	}
 
+	app.use(function(req, res, next) {
+		if (req.user || parseInt(meta.config.privateUploads, 10) !== 1) {
+			return next();
+		}
+		if (req.path.indexOf('/uploads/files') === 0) {
+			return res.status(403).json('not-allowed');
+		}
+		next();
+	});
+
 	app.use(relativePath, express.static(path.join(__dirname, '../../', 'public'), {
 		maxAge: app.enabled('cache') ? 5184000000 : 0
 	}));
diff --git a/src/views/admin/settings/post.tpl b/src/views/admin/settings/post.tpl
index b618e6f5ba..a451e701e2 100644
--- a/src/views/admin/settings/post.tpl
+++ b/src/views/admin/settings/post.tpl
@@ -45,6 +45,11 @@
 					<input type="checkbox" data-field="allowFileUploads"> <strong>Allow users to upload regular files</strong>
 				</label>
 			</div>
+			<div class="checkbox">
+				<label>
+					<input type="checkbox" data-field="privateUploads"> <strong>Make uploaded files private</strong>
+				</label>
+			</div>
 			<strong>Maximum File Size</strong><br /> <input type="text" class="form-control" value="2048" data-field="maximumFileSize"><br />
 
 			<div class="checkbox">