New issue with _Form_Submissions

In case you were one of those people who were using the “File Upload” option for clients to use for Careers forms - i.e. for CV’s, Resumes, Cover Letters, etc. which then outputted a link in a workflow that your customers could use to view said file uploads… well, you can’t really get the file any longer when you click the link. Well you can, but only if it opens in a browser that you are currently logged into an admin already.

For example:

Cover Letter: /_form_submissions/4/19/NSS_Right-Call_Pamphlet_En-c-11-03-2020-04-48-13-100.pdf

  1. If i am logged into an ADMIN, and I click this link in an email, It opens up the file in a browser no problem.

  2. If i am not logged into an ADMIN, and I click this link in an email I get a 403 Forbidden Page.

This is a bit of a problem, since it was working and now it is is not (well sort of). I don’t always want to give access to everyone who is receiving these workflows (and nor do my clients). So now the person who in, say, HR who wasn’t suppose to have any ADMIN access, but only uses the workflow emails to view/download file (from browser) can no longer access these.

@alex can this be discussed internally? I realize this has to do with the new “secured” folder thing, but file uploads into the file submissions folder should not be locked unless we manually secure them. Furthermore, how would one deal with this on the Business Plan where we have no access to secure zones?

Please advise. I have 2 clients who have asked me about this as of late.



@A3CS Thanks for investigating and posting here. I just had a client contact me with exactly this issue. It must have popped up just as I was rolling it out because it was working for me one day, then I sent it off to the client and it was no longer working.

I actually prefer it to be secured by default, but there does need to be the options of having the folder not secure/accessible if desired.

1 Like

All files stored in /_form_submissions/ folder are now secured by default so only admin users can get access to them.
This solution has been applied as an additional feature to the Ability To Assign Documents To A Secure Zone and was based on the forum discussion below:

We didn’t add any configuration that allows leaving some form submission files insecure while some others making secure because nobody mentioned such requirement in that discussion.

So now we can offer an improvement that will allow you to:

However, it can be released not earlier than the next sprint release. If you need insecure files back ASAP, please reply here so I could ask the team to disable this feature in the current sprint release (March, 18).

Would it work for you?

1 Like

@vlad.z I will push our clients to wait until the 18th. This being said, please confirm this option of choosing which folder is secure/unsecure as well as being able to add our own folder files will be available on the Business Plan?

Oh yeah, I did suggest that :blush:

I’m fine with waiting until March 18th for these features to be added. That would be excellent. It would provide greater flexibility.

In the mean time I’m happy to tell my client to log in. In fact by default I prefer the option of having form submission files secured, as per the quoted discussion.

Also, thank you for securing form file uploads. It’s going to save me a ton of extra configuration for clients who need to collect sensitive data that can’t just be available to crawlers and search engines.

A bit of heads up around the roll out of this change would have been nice so we can prepare.

Making form submission files secure is fully independent feature and it doesn’t rely on Secure Zones.
It is just very similar to the Secure Zone files feature, that’s why it was developed in the same sprint.
So the answer is yes, it will be available on Business plan.

I need to clarify that configuration settings will be provided not earlier than the next sprint release (April 8 or later).
But on March 18 current force secure feature will be disabled.