Protect uploads

default discord avatar
6 months ago

Hi, I have some file uploads that should be only available for specific people. How to protect them? I'm thinking of two approaches:

* Generate a unguessable filename on upload, but how to configure that?

* Add a middleware that checks for user access which takes more effort and more error prone.

  • default discord avatar
    6 months ago

    Considering you'll use a collection, you could maybe change the document (/file) name with the


    hook (

    ) and then restrict the access with the


    ACL (

    ). Haven’t done anything similar so if anyone else has more experience on this matter please feel free to share

  • discord user avatar
    Payload Team
    6 months ago

    @thgh - as @Migu said, I would restrict the


    access directly on your upload collection. You could add a field to your users collection (


    or similar) to determine who should be able to access the file, and another field on your uploads collection (


    or similar) to set whether or not the document is protected.

  • default discord avatar
    6 months ago

    The read access thing is clear, bit how do I change the filename of an upload?

    Is there an example available per chance?

    To be clear: I have somewhat guessable filenames now, so the limited collection read access doesn't protect the files from hackers.

Open the post
Continue the discussion in Discord
Like what we're doing?
Star us on GitHub!


Connect with the Payload Community on Discord



Can't find what you're looking for?

Get help straight from the Payload team with an Enterprise License.