All attachments that users upload are public, at least in the public facing version of the app.

Steps to reproduce:

1. Sign in and create a new request
2. Upload an attachment
3. View the proposal and scroll down to "attachments to this proposal" section.
4. Click on the attachment link
5. Copy / Paste the URL into an incognito window. The file is still successfully loaded, despite the lack of authentication.

Wow, thank you for the 🐛 report! Added to our issue tracker here:

https://www.pivotaltracker.com/story/show/98143198

Will update here when it's in progress or done, unless you would be interested in taking a crack at it 😉 Thanks again!

Hi @anthonygarvan! Thanks for taking a look.

Attachments are stored in an S3 bucket and accessible only with a timed authentication code. It's currently set to expire after ten minutes, meaning that, if you visit that url ten minutes after copy-pasting, you'll get an authentication error. Relying on S3's authentication means we don't bog down the application servers with proxy traffic, but we might want to consider limiting the timeout to something shorter.

So, authentication is needed, you're just passing it along with the URL. It'd be akin to sharing your session key. Does that make sense?

Ah, gotcha. Makes sense. No, 10 minutes is reasonable. I'll close the issue, seems like it's not a real concern.