November Happy Hour will be moved to Thursday December 5th.
AI OnAI Off
User uploaded files may be publicly available
Hi,
Yes we do it intentionally. By default, uploaded files are not accessible by anonymous users. If you want only content editors have access right to uploaded files, remove all groups from Upload files folder except for content editors. For flexibility, you can override method EPiServer.Forms.Core.Internal.DataSubmissionService.GetOrCreateFolderForStoringFiles().
Edited,
Jun 27, 2019 11:31
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
Hi,
Episerver Forms 4.25.0 restricts access to uploaded files by removing the "Everyone" role and leaving everything else as-is. If the instance has defined additional read access for Visitor Groups, Users or other Groups, these remain and allow the users to read the uploaded files without special privileges.
These users, especially "Anonymous" role, should not have any visibility to the uploaded files.
Is this an intentional feature or a security issue? I would be happy to find a more secure workaround to restrict the file access from all but the content editors.
Please see method
EPiServer.Forms.Core.Internal.DataSubmissionService.GetOrCreateFolderForStoringFiles() in EPiServer.Forms.Core.dll for details.