[PR #403] [CLOSED] docs: Do not expose media directory #585

New issue

Closed

opened 2026-02-25 21:32:19 +03:00 by kerem · 0 comments

kerem commented

2026-02-25 21:32:19 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/ciur/papermerge/pull/403
Author: @maxtruxa
Created: 7/19/2021
Status: ❌ Closed

Base: master ← Head: patch-1

📝 Commits (1)

dd516e8 docs: Do not expose media directory

📊 Changes

1 file changed (+0 additions, -9 deletions)

View changed files

📝 docs/source/setup/server_configurations.rst (+0 -9)

📄 Description

Description

Do not instruct users to expose the media directory unprotected. This is unsafe and as far as I can tell not necessary for normal operation of a Papermerge instance.

Serving the media directory straight through the webserver circumvents all access controls present in the web frontend and the REST API, leaving user data unprotected. Anyone who gets access to a valid document link can access that document.
If the user's webserver has directory listings enabled, this turns into a complete disaster, as all files are immediately discoverable and accessible.

My only guess is, that this might have been required in previous versions of Papermerge?

Type of change

This change requires a documentation update

How Has This Been Tested?

n/a

Checklist:

I have read the Contributing file available here
~~I have formatted this PR according to PEP8 rules~~
~~I have commented my code, particularly in hard-to-understand areas~~
~~I have made corresponding changes to the documentation~~
~~My changes generate no new warnings~~
~~I have added tests that prove my fix is effective or that my feature works~~
~~New and existing unit tests pass locally with my changes~~

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/ciur/papermerge/pull/403 **Author:** [@maxtruxa](https://github.com/maxtruxa) **Created:** 7/19/2021 **Status:** ❌ Closed **Base:** `master` ← **Head:** `patch-1` --- ### 📝 Commits (1) - [`dd516e8`](https://github.com/ciur/papermerge/commit/dd516e87075be672e0cb83fd4df85742e19ef18a) docs: Do not expose media directory ### 📊 Changes **1 file changed** (+0 additions, -9 deletions) <details> <summary>View changed files</summary> 📝 `docs/source/setup/server_configurations.rst` (+0 -9) </details> ### 📄 Description # Description Do not instruct users to expose the media directory unprotected. This is unsafe and as far as I can tell not necessary for normal operation of a Papermerge instance. Serving the media directory straight through the webserver circumvents all access controls present in the web frontend and the REST API, leaving user data unprotected. Anyone who gets access to a valid document link can access that document. If the user's webserver has directory listings enabled, this turns into a complete disaster, as all files are immediately discoverable and accessible. My only guess is, that this might have been required in previous versions of Papermerge? ## Type of change - [x] This change requires a documentation update # How Has This Been Tested? n/a # Checklist: - [x] I have read the [Contributing file available here](https://github.com/ciur/papermerge/blob/master/CONTRIBUTING.md) - ~I have formatted this PR according to [PEP8 rules](https://www.python.org/dev/peps/pep-0008/)~ - ~I have commented my code, particularly in hard-to-understand areas~ - ~I have made corresponding changes to the documentation~ - ~My changes generate no new warnings~ - ~I have added tests that prove my fix is effective or that my feature works~ - ~New and existing unit tests pass locally with my changes~ --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>