Attached file can be access thru URL. (Public/Private)

Hi,
I am looking for a solution on how to manage attachment permissions on a Doctype. Is it possible for only logged-in users to access the attachments?

in my scenario, all uploaded attachments can be accessed through a URL.
I also tried to upload it privately. but when I remove the ‘private’ on the URL. it still can be accessed publicly.

ex.
When i upload it in private, this would be the url - https://mydomain.com/private/files/image.jpg - not accessible

but when I remove the “private” - https://mydomain.com/files/image.jpg - the image can be accessed in public.

Managing attachment permissions on a Doctype to restrict access to only logged-in users can be challenging. As it stands, any uploaded attachments can be accessed via a URL.

When you upload an attachment as private, the URL would look like this: https://mydomain.com/private/files/image.jpg, and it will not be accessible publicly. However, if the ‘private’ part of the URL is removed, as in https://mydomain.com/files/image.jpg, the file becomes publicly accessible.

Currently, the system is designed with this distinction in mind: public files are accessible to all users, and private files are protected to ensure that important documents are not accessible to unauthorized users. This approach is aligned with general and common-use scenarios.

If you want to grant specific users access to private files, you can use the sharing option to share the document. This way, you can control access more effectively by specifying which users or roles can view the file.

Here is a suggestion for handling your scenario: use the sharing functionality to share private files with the intended users. This allows you to maintain the privacy of important documents while ensuring that authorized users have access.

1 Like
  • Users can list all files attached to any doctype they can read

  • Users can list all public files

  • Users cannot list private standalone files created by other users

  • When opening a specific file, permissions on the reference document will be checked

    e.g. assume a user can access only their own User record. They can list files attached to all User records, but only open Files attached to their own User.

  • The user “Administrator” can list all files

If you can really access private files without being logged in, that would be a bug and security issue. However, I can’t reproduce this (tested on v14).

1 Like

Thank you for your suggestion @NCP .So if the attached file is uploaded as private, it can still be accessed publicly by just removing the ‘private’ on the URL?

@Xent No . you can’t acces private images by removing private from url . and you cant access private images without login and right permissions .
I guess what happened is you uploaded the same image twice , one in public and one in private , that’s why by removing the private from url you are accessing the other one in public folder . test a new image with a different name .

2 Likes