From 85a55d1740dbbb224cd4aa0e5974cf0650fcd06e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <baris@nodebb.org>
Date: Mon, 9 Jul 2018 14:57:42 -0400
Subject: [PATCH] closes

---
 public/language/en-GB/admin/settings/uploads.json | 2 ++
 src/middleware/index.js                           | 8 +++++++-
 src/views/admin/settings/uploads.tpl              | 8 ++++++++
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/public/language/en-GB/admin/settings/uploads.json b/public/language/en-GB/admin/settings/uploads.json
index f08b6efedf..e0382bd8da 100644
--- a/public/language/en-GB/admin/settings/uploads.json
+++ b/public/language/en-GB/admin/settings/uploads.json
@@ -2,6 +2,8 @@
 	"posts": "Posts",
 	"allow-files": "Allow users to upload regular files",
 	"private": "Make uploaded files private",
+	"private-extensions": "File extensions to make private",
+	"private-uploads-extensions-help": "Enter comma-separated list of file extensions to make private here (e.g. <code>pdf,xls,doc</code>). An empty list means all files are private.",
 	"max-image-width": "Resize images down to specified width (in pixels)",
 	"max-image-width-help": "(in pixels, default: 760 pixels, set to 0 to disable)",
 	"resize-image-quality": "Quality to use when resizing images",
diff --git a/src/middleware/index.js b/src/middleware/index.js
index 0173ecb3c6..5c58771282 100644
--- a/src/middleware/index.js
+++ b/src/middleware/index.js
@@ -145,8 +145,14 @@ middleware.privateUploads = function (req, res, next) {
 	if (req.loggedIn || parseInt(meta.config.privateUploads, 10) !== 1) {
 		return next();
 	}
+
 	if (req.path.startsWith(nconf.get('relative_path') + '/assets/uploads/files')) {
-		return res.status(403).json('not-allowed');
+		var extensions = (meta.config.privateUploadsExtensions || '').split(',').filter(Boolean);
+		var ext = path.extname(req.path);
+		ext = ext ? ext.replace(/^\./, '') : ext;
+		if (!extensions.length || extensions.includes(ext)) {
+			return res.status(403).json('not-allowed');
+		}
 	}
 	next();
 };
diff --git a/src/views/admin/settings/uploads.tpl b/src/views/admin/settings/uploads.tpl
index e523c928c5..34d7f96771 100644
--- a/src/views/admin/settings/uploads.tpl
+++ b/src/views/admin/settings/uploads.tpl
@@ -20,6 +20,14 @@
 				</label>
 			</div>
 
+			<div class="form-group">
+				<label for="maximumImageWidth">[[admin/settings/uploads:private-extensions]]</label>
+				<input type="text" class="form-control" value="" data-field="privateUploadsExtensions" placeholder="">
+				<p class="help-block">
+					[[admin/settings/uploads:private-uploads-extensions-help]]
+				</p>
+			</div>
+
 			<div class="form-group">
 				<label for="maximumImageWidth">[[admin/settings/uploads:max-image-width]]</label>
 				<input type="text" class="form-control" value="760" data-field="maximumImageWidth" placeholder="760">