closes

public/language/en-GB/admin/settings/uploads.json

@@ -2,6 +2,8 @@
 	"posts": "Posts",
 	"allow-files": "Allow users to upload regular files",
 	"private": "Make uploaded files private",
+	"private-extensions": "File extensions to make private",
+	"private-uploads-extensions-help": "Enter comma-separated list of file extensions to make private here (e.g. <code>pdf,xls,doc</code>). An empty list means all files are private.",
 	"max-image-width": "Resize images down to specified width (in pixels)",
 	"max-image-width-help": "(in pixels, default: 760 pixels, set to 0 to disable)",
 	"resize-image-quality": "Quality to use when resizing images",

src/middleware/index.js

@@ -145,8 +145,14 @@ middleware.privateUploads = function (req, res, next) {
 	if (req.loggedIn || parseInt(meta.config.privateUploads, 10) !== 1) {
 		return next();
 	}
+
 	if (req.path.startsWith(nconf.get('relative_path') + '/assets/uploads/files')) {
-		return res.status(403).json('not-allowed');
+		var extensions = (meta.config.privateUploadsExtensions || '').split(',').filter(Boolean);
+		var ext = path.extname(req.path);
+		ext = ext ? ext.replace(/^\./, '') : ext;
+		if (!extensions.length || extensions.includes(ext)) {
+			return res.status(403).json('not-allowed');
+		}
 	}
 	next();
 };

src/views/admin/settings/uploads.tpl

@@ -20,6 +20,14 @@
 				</label>
 			</div>
 
+			<div class="form-group">
+				<label for="maximumImageWidth">[[admin/settings/uploads:private-extensions]]</label>
+				<input type="text" class="form-control" value="" data-field="privateUploadsExtensions" placeholder="">
+				<p class="help-block">
+					[[admin/settings/uploads:private-uploads-extensions-help]]
+				</p>
+			</div>
+
 			<div class="form-group">
 				<label for="maximumImageWidth">[[admin/settings/uploads:max-image-width]]</label>
 				<input type="text" class="form-control" value="760" data-field="maximumImageWidth" placeholder="760">