Simplify your stack and build anything. Or everything.
Build tomorrow’s web with a modern solution you truly own.
Code-based nature means you can build on top of it to power anything.
It’s time to take back your content infrastructure.

Protect uploads

default discord avatar
thghlast year
5

Hi, I have some file uploads that should be only available for specific people. How to protect them? I'm thinking of two approaches:


* Generate a unguessable filename on upload, but how to configure that?


* Add a middleware that checks for user access which takes more effort and more error prone.

  • default discord avatar
    Migulast year

    Considering you'll use a collection, you could maybe change the document (/file) name with the

    beforeOperation

    hook (

    https://payloadcms.com/docs/hooks/collections#beforeoperation

    ) and then restrict the access with the

    read

    ACL (

    https://payloadcms.com/docs/access-control/collections#read

    ). Haven’t done anything similar so if anyone else has more experience on this matter please feel free to share

  • discord user avatar
    jesschow
    last year

    @thgh - as @Migu said, I would restrict the

    read

    access directly on your upload collection. You could add a field to your users collection (

    role

    or similar) to determine who should be able to access the file, and another field on your uploads collection (

    protected

    or similar) to set whether or not the document is protected.

  • default discord avatar
    thghlast year

    The read access thing is clear, bit how do I change the filename of an upload?



    Is there an example available per chance?



    To be clear: I have somewhat guessable filenames now, so the limited collection read access doesn't protect the files from hackers.

Star on GitHub

Star

Chat on Discord

Discord

online

Can't find what you're looking for?

Get dedicated engineering support directly from the Payload team..