I'm using a FormContainerBlock from SysSiteAssets>EPiServer Forms , to which form I add a FileUploadElementBlock in order for website visitors to upload files within the form. When I see Form Submissions list, I have a link to the uploaded files which includes "contentassets" directory and an hexadecidal string directory below, such us for example
The thing is that the url is public, and I don't want uploaded files from form to be public to everybody but restricted only for episerver users, or a group of those. At the same time, "globalassets" directory is where website images are stored, so they are already setup correctly for any website visitor to view images on the pages.
So where about can I restrict public access contentassets to just uploaded files, without affecting any other access rigths like current public globalassets access?
+1 Need an answer for this aswell. The guid helps secure the file a bit but iam looking for something more bulletproof.
Has anyone found a solution to this? Seems like quite a bit of an oversight.
We have a feature which restrict access upload files from visitiors, it is exactly the one you needed. The feature is not release yet. It would be Forms 4.6.2, I think.
Is this problem fixed yet? The next version seems to be 4.70 (not 4.6.2).
If you read the release Notes for 4.70 it says nothing about this problem.
We couldn't wait any longer for Episerver to release a fix so we used this approach which works pretty well for now...
Hope this helps.
It is released in Forms 4.7, it is security issue so you cannot see it on release notes. The fix will only effect for the new file upload which sent to server after you've upgrade. For the old files, they are still there.
Thanks for the very quick response :-)
Ok, that was good news.
We will install the 4.7 version of Forms as soon as possible!
I know this thread is old, but I am facing the same issue, and looking for how to secure the uploaded files from visitors.
Dac, can you please point me to any user guide or instructions for how to do this? We have EPiServer.CMS 11.18.1 and EPiServer.Forms 4.29.3.
I had the exact opposite problem, and wrote this blogpost:https://www.gulla.net/no/blog/episerver-forms-public-access-to-uploaded-files/
Maybe you can reverse it? I.e. restricting the access rights for the upload folder?
Thank you, Tomas! This at least gives me a way to see what the access rights are for the "Uploaded Files" folders. And it might even help me figure out how they got set the way they did.