feat: Remove attachments from public access

Closes #219

server/config/custom.js

@@ -26,6 +26,6 @@ module.exports.custom = {
   projectBackgroundImagesPath: path.join(sails.config.paths.public, 'project-background-images'),
   projectBackgroundImagesUrl: `${process.env.BASE_URL}/project-background-images`,
 
-  attachmentsPath: path.join(sails.config.paths.public, 'attachments'),
+  attachmentsPath: path.join(sails.config.appPath, 'private', 'attachments'),
   attachmentsUrl: `${process.env.BASE_URL}/attachments`,
 };

server/config/policies.js

@@ -18,21 +18,10 @@ module.exports.policies = {
 
   '*': 'is-authenticated',
 
-  // 'users/index': ['is-authenticated', 'is-admin'],
   'users/create': ['is-authenticated', 'is-admin'],
   'users/delete': ['is-authenticated', 'is-admin'],
 
   'projects/create': ['is-authenticated', 'is-admin'],
-  // 'projects/update': ['is-authenticated', 'is-admin'],
-  // 'projects/update-background-image': ['is-authenticated', 'is-admin'],
-  // 'projects/delete': ['is-authenticated', 'is-admin'],
-
-  // 'project-memberships/create': ['is-authenticated', 'is-admin'],
-  // 'project-memberships/delete': ['is-authenticated', 'is-admin'],
-
-  // 'boards/create': ['is-authenticated', 'is-admin'],
-  // 'boards/update': ['is-authenticated', 'is-admin'],
-  // 'boards/delete': ['is-authenticated', 'is-admin'],
 
   'access-tokens/create': true,
 };

server/config/routes.js

@@ -75,6 +75,16 @@ module.exports.routes = {
   'GET /api/notifications/:id': 'notifications/show',
   'PATCH /api/notifications/:ids': 'notifications/update',
 
+  'GET /attachments/:id/download/:filename': {
+    action: 'attachments/download',
+    skipAssets: false,
+  },
+
+  'GET /attachments/:id/download/thumbnails/:filename': {
+    action: 'attachments/download-thumbnail',
+    skipAssets: false,
+  },
+
   'GET /*': {
     view: 'index',
     skipAssets: true,