Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Rick Mason 38 posts 169 karma points
    Nov 20, 2017 @ 14:58
    Rick Mason
    0

    Protecting uploads and form editing

    We already use Umbraco CMS and I'm looking at Forms as a replacement for our current forms system.

    I've found a couple of things which I think are limitations of the product, but I'd like to check I'm not missing something before putting anything on the issue tracker.

    File uploads

    If I use the file upload field type, the file gets uploaded into /media/forms. That's a publicly-accessible URL, so the only protection for what might be very sensitive data is that the URL is hard to guess - not good enough. Workarounds to save it somewhere more secure might be to use a separate instance of Umbraco that secures /media, or reroute any uploads starting /media/forms somewhere else in an IFileSystem.

    Accessing the data

    If I want the owner of a form to log in to Umbraco and view the data coming in, I can limit their access to just that form, which is good. However it appears I have to grant them "Manage forms" access, which gives them the ability to change or delete the form - not good. We would definitely want form design to be a separate role from data processing. The workaround would have to be to design a secure API that gets the form data and presents it elsewhere outside of Umbraco.

Please Sign in or register to post replies

Write your reply to:

Draft