Uploaded forms are not secure - add the functionality to be able to secure a folder with uploads

It concerns security: if people are attaching their CVs to a form and then these are being stored on the website platform, anyone who types that URL (or guesses it) would be able to access the CV?
eg www.websitedomainname.co.uk/CV_filename

I understand the chances of guessing it (or accidentally typing it) are very small, but there are security implications of these documents being available on a public URL.

Please can you add the functionality to be able to secure a folder with uploads

I believe file uploads via forms was made secure in v5.0 but it was reverted soon after. I think due to backwards compatibility but I can’t quite remember or find that info again?
I’ll keep looking but I’d say this feature will be reinstated soon.

Hi Adam

I had this response from Violetta at Treepl - ideally I dont want to have to upgrade to Pro Plan.

Hi Dawn,

We had to roll back the changes (secured file uploads via form submissions) based on the complaints here New issue with _Form_Submissions

There’s a task in our internal backlog to add the functionality to be able to secure a folder with uploads (if needed) and select where to upload per each specific form. I’m afraid there’s no ETA on this task at this point. You can also create a public backlog request on this feature and vote for it to speed up the process.

As a workaround, you can consider creating a Secure Zone "Secured Uploads and secure /_form_submissions/3 folder. As the site in question is on the Business plan, you’ll need to upgrade it to Pro to take advantage of the Secure Zones feature.

Violetta

1 Like

@Violetta.S I don’t think this should have to go back through the backlog process. The feature was one of the top voted features, got implemented. Had issues with implementation.

It should be implemented correctly. It looks like @Vlad said it would be re-implemented in April. Am I reading that incorrectly?

2 Likes

thank you Alex -

Hi @Vlad - are you able to give us an update on when this will be implemented please?

Hi guys,

We’ve discussed this matter with Vlad. I’m afraid as I mentioned earlier, this needs to go through the backlog in order to speed up the process. Vlad indeed promised to implement this feature in April or later, but due to the current priority list, this is far from the top.

Thanks for understanding.

@Violetta.S that creates a challenging situation for us. We have sites that were built/migrated when this feature was enabled. Site’s where users upload resumes or sensitive information.

What do I do with those sites? Tell the client that I can no longer offer the functionality I scoped?

I think it’s poor form to send this back to the bottom of the queue.

1 Like

Really disappointing as the only work around solution on offer is to upgrade my sites to the ProPlan - I can’t tell my client that something that used to work no longer works so they have to pay extra for it!!!

@Violetta.S You must be joking. We can’t even vote on back log items that haven’t been “Reviewed”, So you haven take it from a feature that made it through the backlog process, into production, had some small issues so it was withdrawn with a promise to reinstate it, to you need to get it through the backlog process again, to you can’t actually vote on that feature.

Have you ever read any Kafka?

Perhaps, since this item had already been looked at (and even implemented), it could be fast-tracked to the ‘Reviewed Items’ and then the votes can decide its priority.

2 Likes

We also had to deactivate features on migrated sites due to that fact, that uploaded files are not secure. As a matter of fact we can’t use file uploads in forms at all at the moment as an upload to an unsecured location is not compatible with GDPR regulations. So in my understanding this is not a feature which needs votes. It’s removing a flaw, which hinders full GDPR compliance of the platform.

2 Likes

Guys, we’re investigating possible options and will get back to you on this early next week.

1 Like

Sorry for the drama. I get a bit passionate sometimes.

2 Likes

Hi guys,

We’ve added the ability to vote for this feature https://portal.treepl.co/backlog/4039
I understand this feature is critical for some partners, but due to current list of tasks in our internal backlog that exceeds 200 items I’m afraid there’s no other way to prioritize it at this point.

I now have to explain to clients that and I persuaded to move from a BC to Treepl that uploaded forms are no longer secure, but it might work again in the future but we have no idea when!!
This is a really disappointing result but thanks for trying Violetta.

Please vote for it, you can give all your votes to this feature. This will add extra value to this feature from the internal list we have and we hope we’ll be able to include this to the next sprint.

Hi Violetta,
While I understand that there is an internal priority list of requests and such, this isn’t a new request, this was an existing, launched, published feature that had a bug, and should be treated as such. Bugs should be fixed without having to go to the backlog and voted on my partners.

This is extremely disappointing for the partners, as many have expressed above, and I would strongly suggest it be reviewed further, if this were a new feature, I could understand it needing to go to the backlog for review and voting, but it’s not. This was an existing feature with a bug that should be fixed.

@Adam.Wilson could you please add this to the agenda for our treehouse meeting next week, I think it’s important that this is raised for all partners to be aware of.

2 Likes