Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Hubert 9 posts 39 karma points
    Jul 12, 2022 @ 13:18
    Hubert
    0

    Upload FIle property type

    Hello All

    I think I'm missing something.

    There is a property type called Upload File which seems to fit perfectly in my scenario - I have a Document in Umbraco having a few fields (name, description, etc) that represent the document, and then the scan itself is attached as a file (ie. PDF). The value of the field can be easily displayed as a link or inlined as an image just by using <p>@Model.Value("test")</p>. This is evaluated to file URL. Everything works like a breeze.

    Now, I'd like to limit access to the document. It's easy for the Umbraco Document - just click "Restrict public access" and it's done :)

    But, the attached file is uploaded to the /Media folder. This means it's available for everybody who has a link to it. The link can be given or guessed. This opens a security hole.

    So, my question is - is there any option to secure such a file?

    The file is placed in ~/Media, it's hard to distinguish it from a regular media file. But it's not visible in the Media library, so you cannot manage its security descriptor using 3rd party plugins.

    The property is stored just as the media URL (string). No additional information, like a parent, owner, or anything.

    The more I think about it, the more I'm convinced I have to re-write this property from scratch to have the ability to handle the securing process, but maybe there is something I'm missing? Maybe there is an easy way to restrict access to such files without messing with code?

    EDIT: The same issue is with unpublishing the content - the document disappears, but the attachment is still downloadable.

  • Huw Reddick 1929 posts 6697 karma points MVP 2x c-trib
    Jul 12, 2022 @ 13:39
    Huw Reddick
    0

    In Umbraco 8 I created a HttpHandler in order to protect access to files in the Media folder, I'm guessing you probably need to do the same in 9 and 10

  • Hubert 9 posts 39 karma points
    Jul 12, 2022 @ 20:42
    Hubert
    0

    I did the same, but here the problem lies in filtering criteria.

    When you have Media File (uploaded by Media Library) as an object you can attach some properties to it or place it in a folder to shape desired access level. The file is an object being part of the structure (AFAIR inherits IPublishedContent).

    In the case of Uploaded File, all you know is the file URL. The only way I can imagine how to check the access permission is to directly look up the properties table in the database by media URL. Then, from this table and related tables, I should be able to find out the document to which the property value belongs. Having the document ID, I'll be able to validate if the requestor is able to access the document.

    All of this sounds a bit complex to me and I'm having doubts about the efficiency

Please Sign in or register to post replies

Write your reply to:

Draft