• Support

  • The URL's from Files can be seen by guest

If we used the Files section, under Documentation

it's uploading a text file that anyone with a link can see

Is this by design?

If so, I can't use it for fear that someone would be sent the link outside the org

Thank you

I can confirm, happens here too, files with any extension link is public when it should not be

wrongecho I saw the thread and was thinking, what about we have an option on config to set public or private defaults to files ?

      hugo

      The best way of doing this would be to move to something like S3 storage which has time limited access signatures in the URL. This isn't something in the road map at the moment.

      I really don't see an issue with this. Anyone that has access to the random, stupidly long 64 character URL, already has access to the file itself. Many apps operate like this, including Facebook and Picasa for many years.

      What exactly is the threat model here?

        @wrongecho is right this is a non issue. We encode the files with a longer random reference name. Its stronger than most API keys web apps give. I don't see the exploitation here.

        guys, I just think it should be in your control what will be shared or not.

        I think may be an issue if an employee shares the hardlink link, and or somehow this link comes in to people who should not have access to this.

        what Im proposing is option swithc to let its link be public like now or not (just enable for loggedin).

        Its somehow same thinking of shared things, whats the purpore so be able to share things and control how it goes, if the hardlink of file is public? for me that should be a concern.

        @hugo you explained it pretty well and your right. I think we were looking at it with the perspective of an outside attacker being able to bruteguess the files, but really as you said the problem is internal possibly with an employee where audit trail needs to happen. Although this isn't really high priority for us but ill look into some solutions for this and will depend on how technically challenged this task will be.