From 817a710c2e4d9c0d3edd19ef4f3612b638de7b48 Mon Sep 17 00:00:00 2001
From: JuniorJPDJ <git@juniorjpdj.pl>
Date: Fri, 17 Mar 2023 14:34:48 +0000
Subject: [PATCH] fix(nginx): expose only subdirectories of /media

---
 changes/changelog.d/public-media.bugfix |  1 +
 deploy/nginx.template                   | 11 +++++++++--
 docker/nginx/conf.dev                   | 11 +++++++++--
 front/docker/funkwhale.conf.template    | 11 +++++++++--
 4 files changed, 28 insertions(+), 6 deletions(-)
 create mode 100644 changes/changelog.d/public-media.bugfix

diff --git a/changes/changelog.d/public-media.bugfix b/changes/changelog.d/public-media.bugfix
new file mode 100644
index 000000000..4fa615c24
--- /dev/null
+++ b/changes/changelog.d/public-media.bugfix
@@ -0,0 +1 @@
+Fixes an issue which made it possible to download all media files without access control (#2101)
diff --git a/deploy/nginx.template b/deploy/nginx.template
index 4f4d8e379..214bc2ca4 100644
--- a/deploy/nginx.template
+++ b/deploy/nginx.template
@@ -120,8 +120,15 @@ server {
         proxy_pass   http://funkwhale-api;
     }
 
-    location /media/ {
-        alias ${MEDIA_ROOT}/;
+    # Allow direct access to only specific subdirectories in /media
+    location /media/__sized__/ {
+        alias ${MEDIA_ROOT}/__sized__/;
+        add_header Access-Control-Allow-Origin '*';
+    }
+
+    # Allow direct access to only specific subdirectories in /media
+    location /media/attachments/ {
+        alias ${MEDIA_ROOT}/attachments/;
         add_header Access-Control-Allow-Origin '*';
     }
 
diff --git a/docker/nginx/conf.dev b/docker/nginx/conf.dev
index 0a931289b..7ddd3396a 100644
--- a/docker/nginx/conf.dev
+++ b/docker/nginx/conf.dev
@@ -112,8 +112,15 @@ http {
             proxy_pass   http://funkwhale-api;
         }
 
-        location /media/ {
-            alias /protected/media/;
+        # Allow direct access to only specific subdirectories in /media
+        location /media/__sized__/ {
+            alias /protected/media/__sized__/;
+            add_header Access-Control-Allow-Origin '*';
+        }
+
+        # Allow direct access to only specific subdirectories in /media
+        location /media/attachments/ {
+            alias /protected/media/attachments/;
             add_header Access-Control-Allow-Origin '*';
         }
 
diff --git a/front/docker/funkwhale.conf.template b/front/docker/funkwhale.conf.template
index de876ce2c..08e25c8be 100644
--- a/front/docker/funkwhale.conf.template
+++ b/front/docker/funkwhale.conf.template
@@ -85,8 +85,15 @@ server {
         proxy_pass   http://funkwhale-api;
     }
 
-    location /media/ {
-        alias ${MEDIA_ROOT}/;
+    # Allow direct access to only specific subdirectories in /media
+    location /media/__sized__/ {
+        alias ${MEDIA_ROOT}/__sized__/;
+        add_header Access-Control-Allow-Origin '*';
+    }
+
+    # Allow direct access to only specific subdirectories in /media
+    location /media/attachments/ {
+        alias ${MEDIA_ROOT}/attachments/;
         add_header Access-Control-Allow-Origin '*';
     }