Simplify your stack and build anything. Or everything.
Schedule a Demo
USE CASES
Headless CMSEnterprise App BuilderHeadless E-CommerceDigital Asset Management
FEATURES
Multi-TenancyWhite LabelLocalizationAccess ControlAuth
CASE STUDIES

See what others are building with Payload.

Browse Case Studies
Build tomorrow’s web with a modern solution you truly own.
PAYLOAD IS FOR
DevelopersMarketing teamsEnterprise companiesAgencies & Consultancies
COMPARE PAYLOAD
Payload vs WordPressPayload vs ContentfulPayload vs SanityPayload vs StrapiPayload vs Directus
AGENCY TESTIMONIAL

"Payload has transformed the way our clients manage content. It's an indispensable tool for any modern agency."

Become a PartnerFind a Partner
Code-based nature means you can build on top of it to power anything.
Resources
DocumentationExamplesTemplatesGitHubReleasesBlogGuides & Tutorials
Community
RoadmapDiscordCommunity Help
Payload Cloud

Deploy your entire stack in one place with Payload Cloud.

LoginCloud Pricing
It’s time to take back your content infrastructure.
Schedule a Demo
Enterprise Features
SSOAI Auto-EmbeddingPublishing WorkflowsVisual EditorStatic A/B testingAI features
Customer Stories
MicrosoftASICSBlue OriginHello BelloTekton
Featured Customer Story

Microsoft chose Payload to tell the world about AI.

Read the case studyBrowse all
LoginGet Started
Community Help

Protect uploads

default discord avatar
thgh.2 years ago
3

Hi, I have some file uploads that should be only available for specific people. How to protect them? I'm thinking of two approaches:


* Generate a unguessable filename on upload, but how to configure that?


* Add a middleware that checks for user access which takes more effort and more error prone.

  • default discord avatar
    miguderp2 years ago

    Considering you'll use a collection, you could maybe change the document (/file) name with the

    beforeOperation

    hook (

    https://payloadcms.com/docs/hooks/collections#beforeoperation

    ) and then restrict the access with the

    read

    ACL (

    https://payloadcms.com/docs/access-control/collections#read

    ). Haven’t done anything similar so if anyone else has more experience on this matter please feel free to share

  • default discord avatar
    jessrynkar2 years ago
    @476523795251855360

    - as

    @157199103921618944

    said, I would restrict the

    read

    access directly on your upload collection. You could add a field to your users collection (

    role

    or similar) to determine who should be able to access the file, and another field on your uploads collection (

    protected

    or similar) to set whether or not the document is protected.

  • default discord avatar
    thgh.2 years ago

    The read access thing is clear, bit how do I change the filename of an upload?



    Is there an example available per chance?



    To be clear: I have somewhat guessable filenames now, so the limited collection read access doesn't protect the files from hackers.

Open

Continue the discussion in Discord

Star on GitHub

Star

Chat on Discord

Discord

online

Can't find what you're looking for?

Get dedicated engineering support directly from the Payload team.