Try our conversational search powered by Generative AI!

Restrict public url access to Content Assets uploaded attachment files at EPiServer Forms submission



I'm using a FormContainerBlock from SysSiteAssets>EPiServer Forms , to which form I add a FileUploadElementBlock in order for website visitors to upload files within the form. When I see Form Submissions list, I have a link to the uploaded files which includes "contentassets" directory and an hexadecidal string directory below, such us for example

The thing is that the url is public, and I don't want uploaded files from form to be public to everybody but restricted only for episerver users, or a group of those. At the same time, "globalassets" directory is where website images are stored, so they are already setup correctly for any website visitor to view images on the pages.

So where about can I restrict public access contentassets to just uploaded files, without affecting any other access rigths like current public globalassets access?

Thank you!

Feb 22, 2017 17:13

+1 Need an answer for this aswell. The guid helps secure the file a bit but iam looking for something more bulletproof.

Jul 05, 2017 11:57

Has anyone found a solution to this? Seems like quite a bit of an oversight.

Aug 10, 2017 14:30

We have a feature which restrict access upload files from visitiors, it is exactly the one you needed. The feature is not release yet. It would be Forms 4.6.2, I think.

Aug 11, 2017 5:00


Is this problem fixed yet? The next version seems to be 4.70 (not 4.6.2). 

If you read the release Notes for 4.70 it says nothing about this problem.  

Edited, Oct 20, 2017 10:19

We couldn't wait any longer for Episerver to release a fix so we used this approach which works pretty well for now...

Hope this helps.

Oct 20, 2017 10:26

It is released in Forms 4.7, it is security issue so you cannot see it on release notes. The fix will only effect for the new file upload which sent to server after you've upgrade. For the old files, they are still there.

Oct 20, 2017 10:30

Thanks for the very quick response :-)

Ok, that was good news.

We will install the 4.7 version of Forms as soon as possible!

Oct 20, 2017 10:33

I know this thread is old, but I am facing the same issue, and looking for how to secure the uploaded files from visitors.

Dac, can you please point me to any user guide or instructions for how to do this?  We have EPiServer.CMS 11.18.1 and EPiServer.Forms 4.29.3.


Feb 11, 2022 14:08

I had the exact opposite problem, and wrote this blogpost:

Maybe you can reverse it? I.e. restricting the access rights for the upload folder?

Feb 22, 2022 18:39

Thank you, Tomas!  This at least gives me a way to see what the access rights are for the "Uploaded Files" folders.  And it might even help me figure out how they got set the way they did.

Feb 22, 2022 22:04

Since EditSecurity.aspx changed with CMS-12, I went with a code solution to another role on publish of the file upload element.

Here's a bit of it for reference:

    public class FileUploadFolderService
        private readonly IContentRepository _contentRepository;
        private readonly IContentSecurityRepository _securityRepository;
        private readonly ContentAssetHelper _contentAssetHelper;

        public FileUploadFolderService(IContentRepository contentRepository, IContentSecurityRepository securityRepository, ContentAssetHelper contentAssetHelper)
            _contentRepository = contentRepository;
            _securityRepository = securityRepository;
            _contentAssetHelper = contentAssetHelper;

        public ContentReference GetOrCreateFileUploadFolder(IContent content)
            var assetFolder = _contentAssetHelper.GetOrCreateAssetFolder(content.ContentLink);
            var children = _contentRepository.GetChildren<ContentFolder>(assetFolder.ContentLink);
            var folder = children.FirstOrDefault(e => e.Name.Equals(Constants.FileUploadFolderName));
            if (folder != null)
                return folder.ContentLink;

            folder = _contentRepository.GetDefault<ContentFolder>(assetFolder.ContentLink);
            folder.Name = Constants.FileUploadFolderName;

            return _contentRepository.Save(folder, SaveAction.Publish, AccessLevel.NoAccess);

        public void SetFolderAccess(ContentReference contentReference)
            var contentSecurityDescriptor = new ContentAccessControlList();
            contentSecurityDescriptor.AddEntry(new AccessControlEntry(Roles.Administrators, AccessLevel.FullAccess, SecurityEntityType.Role));
            contentSecurityDescriptor.AddEntry(new AccessControlEntry(Roles.WebAdmins, AccessLevel.FullAccess, SecurityEntityType.Role));
            // Additional read role - set to whatever desired
            contentSecurityDescriptor.AddEntry(new AccessControlEntry("Authenticated", AccessLevel.Read, SecurityEntityType.Role));

            _securityRepository.Save(contentReference, contentSecurityDescriptor, SecuritySaveType.Replace);

    public class FileUploadInitializationModule : IInitializableModule {
        public void Initialize(InitializationEngine context) {
            var contentEvents = context.Locate.ContentEvents();
            contentEvents.PublishedContent += ContentEvents_PublishedContent;

        public void Uninitialize(InitializationEngine context) {
            var contentEvents = context.Locate.ContentEvents();
            contentEvents.PublishedContent -= ContentEvents_PublishedContent;

        private void ContentEvents_PublishedContent(object sender, ContentEventArgs args) {
            if (args.Content is FileUploadElementBlock) {
                var service = ServiceLocator.Current.GetInstance<FileUploadFolderService>();
                var contentRefenence = service.GetOrCreateFileUploadFolder(args.Content);
Dec 30, 2022 21:37

I need oppposite solution. We use Episerver.Forms 5.3.1 and CMS12. The uploaded files folder should have public access rights: everyone (not only visible for logged users) should open and read the uploaded file. So is the code included by Matthew Jimenez the only solution? Maybe it might be done in similar way like in the previous version of CMS: link?

Apr 13, 2023 8:57

Whatever you do, make sure the documents are not available in the public search of your website. If that's not intended.

Apr 13, 2023 9:06
Aneta Petryla - Apr 13, 2023 9:31
This uploaded file is attached to the email. The main goal is to be visible for this anonymous user and that's all.
Aneta Petryla - Apr 13, 2023 9:40
Probably I've dealt with it. I set up "everybody: read" access rights for the content where the forms's FileUpload component is placed and removed created by default "Uploaded files" folder. It has been created again with new rights probably inherited from the parent content. It seems to work :)
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.