The Community forums are being phased out in favor of a new Slack group.
Add your email address below to get an invitation to join the community slack group
File Upload
I've been looking at some of the posts regarding File Upload component, and continue to have questions.
I'm surprised that the Files being uploaded do not automatically get assigned some type of unique identifier based on the User or Entry ID. More surprised it's not part of the core functionality.
I see that they get file under the uploads/formidable/<<FORM-ID> directory, but not having them unique to the submission is a big problem.
Ex: What if multiple users upload a file called "Image.jpg", I think they will keep overwriting each other?
If it's not built into the core product, is there a simple way to add a hook to do it?
I've some posts about it, but they are almost 2 years old, so don't know if they still are valid.
Another concerning area is that of security around accessing the documents.
I see that they are protected (somewhat) with an .htaccess redirect, but why hasn't more been done in this area to "harden" the protection a bit more, by limiting viewing of Formidable Uploads to (1) The User who Submitted; (2) Certain other roles (set in Form Settings).
In this day & age of the scrutiny of Internet Security, access to confidential data, I'm surprised this hasn't gotten more attention.
Any help or guidance in these areas would be greatly appreciated.
Thanks in advance,
Steve Dalton
June 5, 2017 at 11:52 pm
Hi Stephen,
Are your users logged in when they submit the forms?
If so you could use the form_upload_folder hook to create a new sub-folder on the fly for each user who uploads a file?
See here: https://formidableforms.com/knowledgebase/frm_upload_folder/#kb-organize-by-user-login
You can also change the file upload folder to any other location you like using this hook so the files don't have to go into the default folder.
There's more information on that here: http://community.formidableforms.com/help-desk/file-upload-folder/
If neither of those options work for you, you can rename and move the files when the form is submitted using the form_after_create_entry hook.
This might do what you need: https://formidableforms.com/knowledgebase/frm_after_create_entry/#kb-move-and-rename-files
Hope that helps
Chris
June 6, 2017 at 6:20 pm
Thanks Chris !
Yes, our website is a private website, where all users uploading forms will be approved members only.
I do think one of those options will work to at least keep the uploads unique to the Form & to the User.
My other concern is how to enforce security of the user opening the upload. I think that Formidable is using some type of .htaccess Rewrite to protect the file from being viewed directly.
I'm no where near an .htaccess expert, so I'm not 100% how this works (would be good if I can understand a bit more on that), and how secure it really is? Also, unsure if it'll continue working with the above solutions, as I think the .htaccess file is being written-out when the form is being created into only the parent formidable/<formID> folder, but not any sub-directories of usernames.
Sample Formidable .htaccess file:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?www.campworc.com/.*$ [NC]
RewriteRule \.*$ - [F]
Ultimately, if would be good if the .htaccess file (or another method) could check to see what user is making the request, and whether that user is in a particular role. If they are not, then redirect to a page stating that they don't have access. Also, if User was logged-out of Wordpress at the time of the request, it should redirect them to the login page without rendering the uploaded file.
June 10, 2017 at 1:58 am
You can read this : https://wp-customerarea.com/
June 16, 2017 at 10:46 am
Hi Stephen,
Check out this documentation on how to offer a protected file after form submission (gated content). I think this should help with your concern of "how to enforce security of the user opening the upload" if I am understanding your concern correctly.
Discussion closed.