Public vs private images
A common approach is to gate every uploaded image. Images in private pages can only be viewed by the owner while images in published pages can be viewed by anyone. We check whether an image is private or public before showing or not showing it.
Another approach is to have two buckets: Owner images and Public images. Every images uploaded will be added to the Owner bucket, where only the owner can see them. If and when the owner publishes some pages with images, those images will be "promoted" to the Public bucket. When the owner hides the pages with images, those images will be "demoted" (removed from the Public bucket, cached cleared, but a copy still exists in the Owner bucket for the owner's viewing).
This approach has several advantages:
- It keeps things clearer with the two buckets. Nothing in the Owner bucket can be accidentally leaked.
- If the read volume is high, this approach is cheaper because we don't have to check every images's status upon request.
- Once an image is in the Public bucket, it is just a CDN hit with no dependency beyond the CDN. Gating even public image means adding a new availability dependency; if there's an outage that prevents a database or authentication lookup, the images will break for all public visitors.
But it has some disadvantages, too:
- Having two buckets is more complex and could lead to sync issues. One bucket, one source of truth is simpler to understand.
- Every public asset exists twice, which can be expensive when there are a lot of them.
- There's a brief timing gap between "publish" and "image actually promoted". This could be handled with some product design.