Restricting file download

Hi,

I’ve got a file object related to a user and I want only the related user to be able to access/download the file.

I’ve noticed that it’s possible to access files by incrementing the ID in the URL, for example if I got the URL below I could keep incrementing until I got another file that potentially wasn’t related to my User record.

HOSTNAME/file/record_field_file/153201/file_id/filename.pdf (related)
HOSTNAME/file/record_field_file/153203/file_id/filename.pdf (not related)

Is it possible to put restrictions on this to prevent anyone from being able to do this. I had a look on the file object settings but couldn’t see anything.

Thanks, Ewan

Hi Ewan,

You should be able to do this using a user restriction path in the Object settings:

I think this functionality may have been added in a recent update as I can’t find any information on it. It’s possible the option may not be available in the version you are running. I’m running 2021.3.113 and was able to do a quick test just now where I added a restriction path and I think I was able to achieve what it sounds like you want.

Dylan

Hi Dylan,

Thanks for your help, this seems to have worked for allowing only the related user to view it.

The only issue I’m having now is that I can’t view these files from an Admin/Build Admin role, they won’t show up in a list widget and I also can’t run any rules against the records.

Is there a way to add keep this restriction for the User but remove it for Admins?

Thanks,
Ewan

Hi Ewan,

I think that if you add a subset filter to the restriction path you have added so that it only applies to users of a particular role then that should allow you to access it normally from the other roles.

Thanks,
Dylan

Hi Dylan,

That’s solved it, works perfectly.

Thanks,
Ewan

1 Like