Restrict public url access to Content Assets uploaded attachment files at EPiServer Forms submission

Vote:
 

Hello,

I'm using a FormContainerBlock from SysSiteAssets>EPiServer Forms , to which form I add a FileUploadElementBlock in order for website visitors to upload files within the form. When I see Form Submissions list, I have a link to the uploaded files which includes "contentassets" directory and an hexadecidal string directory below, such us for example

http://myownexamplesite.com/contentassets/34259239074241e8bda186be05485075/636233568563803357_attachedFile.txt

The thing is that the url is public, and I don't want uploaded files from form to be public to everybody but restricted only for episerver users, or a group of those. At the same time, "globalassets" directory is where website images are stored, so they are already setup correctly for any website visitor to view images on the pages.

So where about can I restrict public access contentassets to just uploaded files, without affecting any other access rigths like current public globalassets access?

Thank you!

#175530
Feb 22, 2017 17:13
Vote:
 

+1 Need an answer for this aswell. The guid helps secure the file a bit but iam looking for something more bulletproof.

#180290
Jul 05, 2017 11:57
Vote:
 

Has anyone found a solution to this? Seems like quite a bit of an oversight.

#181172
Aug 10, 2017 14:30
Vote:
 

We have a feature which restrict access upload files from visitiors, it is exactly the one you needed. The feature is not release yet. It would be Forms 4.6.2, I think.

#181187
Aug 11, 2017 5:00
Vote:
 

Hi!

Is this problem fixed yet? The next version seems to be 4.70 (not 4.6.2). 

If you read the release Notes for 4.70 it says nothing about this problem.

https://world.episerver.com/documentation/Release-Notes/?versionFilter=4.7.0&packageFilter=EPiServer.Forms&typeFilter=All  

#183715
Edited, Oct 20, 2017 10:19
Vote:
 

We couldn't wait any longer for Episerver to release a fix so we used this approach which works pretty well for now...

https://talk.alfnilsson.se/2016/05/06/episerver-forms-how-to-change-where-uploaded-files-are-stored/

Hope this helps.

#183716
Oct 20, 2017 10:26
Vote:
 

It is released in Forms 4.7, it is security issue so you cannot see it on release notes. The fix will only effect for the new file upload which sent to server after you've upgrade. For the old files, they are still there.

#183718
Oct 20, 2017 10:30
Vote:
 

Thanks for the very quick response :-)

Ok, that was good news.

We will install the 4.7 version of Forms as soon as possible!

#183719
Oct 20, 2017 10:33
Vote:
 

I know this thread is old, but I am facing the same issue, and looking for how to secure the uploaded files from visitors.

Dac, can you please point me to any user guide or instructions for how to do this?  We have EPiServer.CMS 11.18.1 and EPiServer.Forms 4.29.3.

Thanks! 

#271545
Feb 11, 2022 14:08
Vote:
 

I had the exact opposite problem, and wrote this blogpost:
https://www.gulla.net/no/blog/episerver-forms-public-access-to-uploaded-files/

Maybe you can reverse it? I.e. restricting the access rights for the upload folder?

#272736
Feb 22, 2022 18:39
Vote:
 

Thank you, Tomas!  This at least gives me a way to see what the access rights are for the "Uploaded Files" folders.  And it might even help me figure out how they got set the way they did.

#272770
Feb 22, 2022 22:04
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.