Update S3 to use world-readable files

2 files changed, 7 insertions, 2 deletions

diff --git a/docs/installation.rst b/docs/installation.rst
index 662a980..e4c0878 100644
--- a/docs/installation.rst
+++ b/docs/installation.rst
@@ -84,9 +84,12 @@ be provided from the first boot.
     fully-qualified URL prefix that serves that directory.
 
   * If it is set to ``gcs://``, it must be in the form ``gcs://bucket-name``
-    (note the two slashes if you just want a bucket name)
+    (note the two slashes if you just want a bucket name). Your bucket must
+    be set to world-readable and have individual object permissions disabled.
 
-  * If it is set to ``s3://``, it must be in the form ``s3://access-key:secret-key@endpoint-url/bucket-name``
+  * If it is set to ``s3://``, it must be in the form
+    ``s3://access-key:secret-key@endpoint-url/bucket-name``. Your bucket must
+    permit publically-readable files to be uploaded.
 
 * ``TAKAHE_MAIN_DOMAIN`` should be the domain name (without ``https://``) that
   will be used for default links (such as in emails). It does *not* need to be
diff --git a/takahe/settings.py b/takahe/settings.py
index 2dc4ffa..288ecca 100644
--- a/takahe/settings.py
+++ b/takahe/settings.py
@@ -304,6 +304,8 @@ if SETUP.MEDIA_BACKEND:
     elif parsed.scheme == "s3":
         DEFAULT_FILE_STORAGE = "storages.backends.s3boto3.S3Boto3Storage"
         AWS_STORAGE_BUCKET_NAME = parsed.path.lstrip("/")
+        AWS_QUERYSTRING_AUTH = False
+        AWS_DEFAULT_ACL = "public-read"
         if parsed.username is not None:
             AWS_ACCESS_KEY_ID = parsed.username
             AWS_SECRET_ACCESS_KEY = urllib.parse.unquote(parsed.password)