AI OnAI Off
Hi,
Yes we do it intentionally. By default, uploaded files are not accessible by anonymous users. If you want only content editors have access right to uploaded files, remove all groups from Upload files folder except for content editors. For flexibility, you can override method EPiServer.Forms.Core.Internal.DataSubmissionService.GetOrCreateFolderForStoringFiles().
Hi,
Episerver Forms 4.25.0 restricts access to uploaded files by removing the "Everyone" role and leaving everything else as-is. If the instance has defined additional read access for Visitor Groups, Users or other Groups, these remain and allow the users to read the uploaded files without special privileges.
These users, especially "Anonymous" role, should not have any visibility to the uploaded files.
Is this an intentional feature or a security issue? I would be happy to find a more secure workaround to restrict the file access from all but the content editors.
Please see method
EPiServer.Forms.Core.Internal.DataSubmissionService.GetOrCreateFolderForStoringFiles() in EPiServer.Forms.Core.dll for details.