FEATURE: Add rake task to disable secure media (#8669)

* Add a rake task to disable secure media. This sets all uploads to `secure: false`, changes the upload ACL to public, and rebakes all the posts using the uploads to make sure they point to the correct URLs. This is in a transaction for each upload with the upload being updated the last step, so if the task fails it can be resumed.
* Also allow viewing media via the secure url if secure media is disabled, redirecting to the normal CDN url, because otherwise media links will be broken while we go and rebake all the posts + update ACLs

app/controllers/uploads_controller.rb

@@ -115,12 +115,25 @@ class UploadsController < ApplicationController
   def show_secure
     # do not serve uploads requested via XHR to prevent XSS
     return xhr_not_allowed if request.xhr?
+    return render_404 if !Discourse.store.external?
+
+    path_with_ext = "#{params[:path]}.#{params[:extension]}"
+
+    sha1 = File.basename(path_with_ext, File.extname(path_with_ext))
+    # this takes care of optimized image requests
+    sha1 = sha1.partition("_").first if sha1.include?("_")
+
+    upload = Upload.find_by(sha1: sha1)
+    return render_404 if upload.blank?
 
     if SiteSetting.secure_media?
-      redirect_to Discourse.store.signed_url_for_path("#{params[:path]}.#{params[:extension]}")
-    else
-      render_404
+      return redirect_to Discourse.store.signed_url_for_path(path_with_ext)
     end
+
+    # we don't want to 404 here if secure media gets disabled
+    # because all posts with secure uploads will show broken media
+    # until rebaked, which could take some time
+    redirect_to Discourse.store.cdn_url(upload.url)
   end
 
   def metadata