Secure expense receipts by wiring Media Library to FileDisk

Spatie Media Library now uses the default FileDisk (local_private) for new uploads instead of the public disk. Expense receipts are no longer directly web-accessible. - AppServiceProvider configures media-library disk from FileDisk on boot - Change media-library fallback from 'public' to 'local' - Expense receipt URL accessor returns authenticated route instead of direct file URL - Add registerMediaCollections() to Expense model - Prevent deleting FileDisk that contains files or is a system disk - Add media:secure command to migrate existing receipts to private disk Fixes #187
2026-04-18 18:54:07 +00:00 · 2026-04-07 01:01:59 +02:00
parent 39c9179888
commit 67268ac2b7
5 changed files with 187 additions and 4 deletions
--- a/app/Providers/AppServiceProvider.php
+++ b/app/Providers/AppServiceProvider.php
@@ -2,6 +2,8 @@

 namespace App\Providers;

+use App\Models\FileDisk;
+use App\Models\Setting;
 use App\Policies\CompanyPolicy;
 use App\Policies\CustomerPolicy;
 use App\Policies\DashboardPolicy;
@@ -57,6 +59,7 @@ class AppServiceProvider extends ServiceProvider

        if (InstallUtils::isDbCreated()) {
            $this->addMenus();
+            $this->configureMediaDisk();
        }

        Gate::policy(Role::class, RolePolicy::class);
@@ -166,4 +169,29 @@ class AppServiceProvider extends ServiceProvider
    {
        Broadcast::routes(['middleware' => 'api.auth']);
    }
+
+    /**
+     * Configure Spatie Media Library to use the FileDisk system.
+     *
+     * Resolves the media disk from the `media_disk_id` setting,
+     * falling back to the default FileDisk. This ensures media
+     * uploads go to a private disk by default.
+     */
+    private function configureMediaDisk(): void
+    {
+        try {
+            $mediaDiskId = Setting::getSetting('media_disk_id');
+            $disk = $mediaDiskId
+                ? FileDisk::find($mediaDiskId)
+                : FileDisk::where('set_as_default', true)->first();
+
+            if ($disk) {
+                $disk->setConfig();
+                $prefix = env('DYNAMIC_DISK_PREFIX', 'temp_');
+                config(['media-library.disk_name' => $prefix.$disk->driver]);
+            }
+        } catch (\Exception $e) {
+            // DB not yet migrated or settings table missing — use config default
+        }
+    }
 }