[Bug Report]: #2451

New Issue

OVERLORD · 2026-02-05T04:10:36+03:00

OVERLORD commented

2026-02-05 04:10:36 +03:00

Originally created by @a030225033 on GitHub (Oct 22, 2021).

Describe the Bug

uploads/images since you don’t need account secret, you can browse

patch
/uploads/images/gallery/

Steps to Reproduce

know url

Expected Behaviour

input account

Screenshots or Additional Context

No response

Exact BookStack Version

v21.08.6

PHP Version

php 7.4

Hosting Environment

ubuntu 20.04
nginx

Originally created by @a030225033 on GitHub (Oct 22, 2021). ### Describe the Bug uploads/images since you don’t need account secret, you can browse patch /uploads/images/gallery/ ### Steps to Reproduce know url ### Expected Behaviour input account ### Screenshots or Additional Context _No response_ ### Exact BookStack Version v21.08.6 ### PHP Version php 7.4 ### Hosting Environment ubuntu 20.04 nginx

OVERLORD added the 🐛 Bug label 2026-02-05 04:10:36 +03:00

OVERLORD closed this issue

2026-02-05 04:10:38 +03:00

OVERLORD commented

2026-02-05 04:10:48 +03:00

@jhrdt commented on GitHub (Oct 22, 2021):

Hi @a030225033,

the public availability of uploaded images is the default behaviour.

You can change the storage_type in your .env to ensure, such that only logged-in users can see uploaded images.

Please consult the docs for more information: https://www.bookstackapp.com/docs/admin/security/#securing-images

@jhrdt commented on GitHub (Oct 22, 2021): Hi @a030225033, the _public_ availability of uploaded images is the default behaviour. You can change the *storage_type* in your *.env* to ensure, such that only logged-in users can see uploaded images. Please consult the docs for more information: https://www.bookstackapp.com/docs/admin/security/#securing-images

OVERLORD commented

2026-02-05 04:10:56 +03:00

@a030225033 commented on GitHub (Oct 22, 2021):

setting
env

STORAGE_TYPE=local_secure

nginx

location /uploads {
autoindex off;
}

No effect

@a030225033 commented on GitHub (Oct 22, 2021): setting env STORAGE_TYPE=local_secure nginx location /uploads { autoindex off; } No effect

OVERLORD commented

2026-02-05 04:11:05 +03:00

@jhrdt commented on GitHub (Oct 22, 2021):

Hi @a030225033,

do you did that?

If you are migrating to this option with existing images you will need to move all content in the folder public/uploads/images to storage/uploads/images.
Do not simply copy and leave content in the public/uploads/images as those images will still be publicly accessible.

[https://www.bookstackapp.com/docs/admin/security/#securing-images]

@jhrdt commented on GitHub (Oct 22, 2021): Hi @a030225033, do you did that? > If you are migrating to this option with existing images you will need to **move** all content in the folder public/uploads/images to storage/uploads/images. > **Do not** simply copy and leave content in the public/uploads/images as those images will still be publicly accessible. > > [https://www.bookstackapp.com/docs/admin/security/#securing-images]

OVERLORD commented

2026-02-05 04:11:11 +03:00

@ssddanbrown commented on GitHub (Oct 22, 2021):

In addition, autoindex should be off by default with nginx so I'd suspect that something else could overriding the setting. Alternatively nginx has not be restarted for the setting to take affect. Or the location block has been added in an incorrect way.

@ssddanbrown commented on GitHub (Oct 22, 2021): In addition, `autoindex` should be off by default with nginx so I'd suspect that something else could overriding the setting. Alternatively nginx has not be restarted for the setting to take affect. Or the location block has been added in an incorrect way.

OVERLORD commented

2026-02-05 04:11:19 +03:00

@a030225033 commented on GitHub (Oct 25, 2021):

nginx -s reload Still the same ineffective

@a030225033 commented on GitHub (Oct 25, 2021): nginx -s reload Still the same ineffective

OVERLORD commented

2026-02-05 04:11:26 +03:00

@ssddanbrown commented on GitHub (Oct 25, 2021):

@a030225033 What about the advice provided by @jhrdt above? That's more direct to ensuring the local_secure option is active. Otherwise you'll need to search for a reason why autoindexes are active at all. There sounds like there's something else going at play on your server. If you're following any specific instructions feel free to provide those upon further information regarding your setup (Was this a fresh operating system install? Was there an existing website before setting up BookStack?)

@ssddanbrown commented on GitHub (Oct 25, 2021): @a030225033 What about the advice provided by @jhrdt above? That's more direct to ensuring the `local_secure` option is active. Otherwise you'll need to search for a reason why `autoindexes` are active at all. There sounds like there's something else going at play on your server. If you're following any specific instructions feel free to provide those upon further information regarding your setup (Was this a fresh operating system install? Was there an existing website before setting up BookStack?)

OVERLORD commented

2026-02-05 04:11:30 +03:00

@ssddanbrown commented on GitHub (Oct 31, 2021):

Since there's been no follow-up I'm going to close this. If the issue remains and is something you still require to be fixed please message me from this issue or open a new issue, referencing this one.

@ssddanbrown commented on GitHub (Oct 31, 2021): Since there's been no follow-up I'm going to close this. If the issue remains and is something you still require to be fixed please message me from this issue or open a new issue, referencing this one.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#2451