From dba5dd14e76f86ea1c230ae6a92f18718c442ce6 Mon Sep 17 00:00:00 2001
From: Tom Moor <tom.moor@gmail.com>
Date: Wed, 21 Oct 2020 21:00:40 -0700
Subject: [PATCH] fix: Put public and private uploads in separate folders to
 allow for restrictive AWS policies closes #1581

---
 server/api/attachments.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/server/api/attachments.js b/server/api/attachments.js
index 6a634887..b92bfcbc 100644
--- a/server/api/attachments.js
+++ b/server/api/attachments.js
@@ -27,13 +27,15 @@ router.post("attachments.create", auth(), async (ctx) => {
 
   const { user } = ctx.state;
   const s3Key = uuid.v4();
-  const key = `uploads/${user.id}/${s3Key}/${name}`;
   const acl =
     ctx.body.public === undefined
       ? AWS_S3_ACL
       : ctx.body.public
       ? "public-read"
       : "private";
+
+  const bucket = acl === "public-read" ? "public" : "uploads";
+  const key = `${bucket}/${user.id}/${s3Key}/${name}`;
   const credential = makeCredential();
   const longDate = format(new Date(), "YYYYMMDDTHHmmss\\Z");
   const policy = makePolicy(credential, longDate, acl);