Protect uploads

default discord avatar
thgh
6 months ago
5

Hi, I have some file uploads that should be only available for specific people. How to protect them? I'm thinking of two approaches:


* Generate a unguessable filename on upload, but how to configure that?


* Add a middleware that checks for user access which takes more effort and more error prone.

  • default discord avatar
    Migu
    6 months ago

    Considering you'll use a collection, you could maybe change the document (/file) name with the

    beforeOperation

    hook (

    https://payloadcms.com/docs/hooks/collections#beforeoperation

    ) and then restrict the access with the

    read

    ACL (

    https://payloadcms.com/docs/access-control/collections#read

    ). Haven’t done anything similar so if anyone else has more experience on this matter please feel free to share

  • discord user avatar
    jesschow
    Payload Team
    6 months ago

    @thgh - as @Migu said, I would restrict the

    read

    access directly on your upload collection. You could add a field to your users collection (

    role

    or similar) to determine who should be able to access the file, and another field on your uploads collection (

    protected

    or similar) to set whether or not the document is protected.

  • default discord avatar
    thgh
    6 months ago

    The read access thing is clear, bit how do I change the filename of an upload?



    Is there an example available per chance?



    To be clear: I have somewhat guessable filenames now, so the limited collection read access doesn't protect the files from hackers.

Open the post
Continue the discussion in Discord
Like what we're doing?
Star us on GitHub!

Star

Connect with the Payload Community on Discord

Discord

online

Can't find what you're looking for?

Get help straight from the Payload team with an Enterprise License.