From 9df81105e2480de0c3fdb0ad3ce040326c13fc6f Mon Sep 17 00:00:00 2001 From: Kibi Kelburton Date: Sat, 13 Jun 2026 16:05:54 +0200 Subject: [PATCH] update private_society to allow direct urls --- src/index.mjs | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/src/index.mjs b/src/index.mjs index e4b9e87..6ac296f 100644 --- a/src/index.mjs +++ b/src/index.mjs @@ -487,14 +487,18 @@ process.on('uncaughtException', err => { if (req.url.pathname === '/manifest.json' || req.url.pathname === '/sw.js') return; if (req.url.pathname.match(/^\/(b|c|t|ca|a|memes)\//) || req.url.pathname.startsWith('/s/emojis/')) { - if (cfg.websrv.private_society && !req.cookies?.session) { - res.writeHead(200, { 'Content-Type': 'text/html' }).end(nginx502 ?? buildGatePage(req)); - req.url.pathname = '/private_society_media_bypass'; - return; - } + // protect_files gates raw file URLs behind a session (401 if not logged in). + // private_society also gates file URLs — but only when protect_files is ALSO enabled. + // If private_society is on but protect_files is off, direct file URLs are intentionally + // left public so they can be shared without requiring a login. if (getProtectFiles() && !req.cookies?.session) { - res.writeHead(401).end('Unauthorized'); - req.url.pathname = '/protect_files_bypass'; + if (cfg.websrv.private_society) { + res.writeHead(200, { 'Content-Type': 'text/html' }).end(nginx502 ?? buildGatePage(req)); + req.url.pathname = '/private_society_media_bypass'; + } else { + res.writeHead(401).end('Unauthorized'); + req.url.pathname = '/protect_files_bypass'; + } return; } return;