Like what we’re doing? Star us on GitHub!

Protect uploads

3 weeks ago

Hi, I have some file uploads that should be only available for specific people. How to protect them? I'm thinking of two approaches:

* Generate a unguessable filename on upload, but how to configure that?

* Add a middleware that checks for user access which takes more effort and more error prone.

  • Migu
    3 weeks ago

    Considering you'll use a collection, you could maybe change the document (/file) name with the


    hook (

    ) and then restrict the access with the


    ACL (

    ). Haven’t done anything similar so if anyone else has more experience on this matter please feel free to share

  • jesschow
    Payload Team
    2 weeks ago

    @thgh - as @Migu said, I would restrict the


    access directly on your upload collection. You could add a field to your users collection (


    or similar) to determine who should be able to access the file, and another field on your uploads collection (


    or similar) to set whether or not the document is protected.

  • thgh
    2 weeks ago

    The read access thing is clear, bit how do I change the filename of an upload?

    Is there an example available per chance?

    To be clear: I have somewhat guessable filenames now, so the limited collection read access doesn't protect the files from hackers.

Open the post
Continue the discussion in Discord
Can't find what you're looking for?
Get help straight from the Payload team with an Enterprise License.Learn More