FEATURE: new 'prevent anons from download files' site setting

app/assets/javascripts/discourse/lib/click_track.js

@@ -79,7 +79,7 @@ Discourse.ClickTrack = {
     e.preventDefault();
 
     // We don't track clicks on quote back buttons
-    if ($link.hasClass('back') || $link.hasClass('quote-other-topic')) return true;
+    if ($link.hasClass('back') || $link.hasClass('quote-other-topic')) { return true; }
 
     // Remove the href, put it as a data attribute
     if (!$link.data('href')) {
@@ -90,6 +90,12 @@ Discourse.ClickTrack = {
       $link.data('auto-route', true);
     }
 
+    // warn the user if they can't download the file
+    if (Discourse.SiteSettings.prevent_anons_from_downloading_files && $link.hasClass("attachment") && !Discourse.User.current()) {
+      bootbox.alert(I18n.t("post.errors.attachment_download_requires_login"));
+      return false;
+    }
+
     // If we're on the same site, use the router and track via AJAX
     if (Discourse.URL.isInternal(href) && !$link.hasClass('attachment')) {
       Discourse.ajax("/clicks/track", {

app/controllers/uploads_controller.rb

@@ -20,6 +20,7 @@ class UploadsController < ApplicationController
 
     RailsMultisite::ConnectionManagement.with_connection(params[:site]) do |db|
       return render_404 unless Discourse.store.internal?
+      return render_404 if SiteSetting.prevent_anons_from_downloading_files && current_user.nil?
 
       id = params[:id].to_i
       url = request.fullpath