Uploaded forms are not secure - add the functionality to be able to secure a folder with uploads

It concerns security: if people are attaching their CVs to a form and then these are being stored on the website platform, anyone who types that URL (or guesses it) would be able to access the CV?
eg www.websitedomainname.co.uk/CV_filename

I understand the chances of guessing it (or accidentally typing it) are very small, but there are security implications of these documents being available on a public URL.

Please can you add the functionality to be able to secure a folder with uploads

I believe file uploads via forms was made secure in v5.0 but it was reverted soon after. I think due to backwards compatibility but I can’t quite remember or find that info again?
I’ll keep looking but I’d say this feature will be reinstated soon.

Hi Adam

I had this response from Violetta at Treepl - ideally I dont want to have to upgrade to Pro Plan.

Hi Dawn,

We had to roll back the changes (secured file uploads via form submissions) based on the complaints here New issue with _Form_Submissions

There’s a task in our internal backlog to add the functionality to be able to secure a folder with uploads (if needed) and select where to upload per each specific form. I’m afraid there’s no ETA on this task at this point. You can also create a public backlog request on this feature and vote for it to speed up the process.

As a workaround, you can consider creating a Secure Zone "Secured Uploads and secure /_form_submissions/3 folder. As the site in question is on the Business plan, you’ll need to upgrade it to Pro to take advantage of the Secure Zones feature.

Violetta

1 Like

@Violetta.S I don’t think this should have to go back through the backlog process. The feature was one of the top voted features, got implemented. Had issues with implementation.

It should be implemented correctly. It looks like @Vlad said it would be re-implemented in April. Am I reading that incorrectly?

2 Likes

thank you Alex -

Hi @Vlad - are you able to give us an update on when this will be implemented please?

Hi guys,

We’ve discussed this matter with Vlad. I’m afraid as I mentioned earlier, this needs to go through the backlog in order to speed up the process. Vlad indeed promised to implement this feature in April or later, but due to the current priority list, this is far from the top.

Thanks for understanding.

@Violetta.S that creates a challenging situation for us. We have sites that were built/migrated when this feature was enabled. Site’s where users upload resumes or sensitive information.

What do I do with those sites? Tell the client that I can no longer offer the functionality I scoped?

I think it’s poor form to send this back to the bottom of the queue.

1 Like

Really disappointing as the only work around solution on offer is to upgrade my sites to the ProPlan - I can’t tell my client that something that used to work no longer works so they have to pay extra for it!!!