Security issue - Attached files

Hey guys,

As I work more and more with ERPNext getting used to it for our organization and making sure its a good fit (I think it is amazing) I still need to make sure its a robust and secure system as it is one that handles very sensitive information such as social security info, address, bank info etc.

The issue I found was attached documents to users(or anthything for that matter)

It uploads them as the filename (ex. contact.doc) so then the URL attached to the user is

The issue is this URL can be relatively easy to guess and is accessable to download from un authenticated users. I copied the URL to another browser and the download began immediately.

I think the best solution would be no access unless logged in or authorized. Or at the very least rename the file to some random hash.doc/pdf/filename.

Please let me know what you think, if there is some setting somewhere I missed that could be the issue too :smile:

Thanks again for your support and such great software.



A agree this is a serious issue. My client wants to attach sensitive documents like blueprints; something that shouldn’t be accessible to other users in the system, let alone the public!

I believe the correct way to handle this would be to store the files in a non http accessible location; Files would have to be requested and streamed via the framework, not served directly by the web server. Frappe needs to validate the request for the file!

Here’s a discussion on the topic:

1 Like

In 2020 have any solution?