Hi, I have some file uploads that should be only available for specific people. How to protect them? I'm thinking of two approaches:
* Generate a unguessable filename on upload, but how to configure that?
* Add a middleware that checks for user access which takes more effort and more error prone.
Considering you'll use a collection, you could maybe change the document (/file) name with the
beforeOperation
hook (
https://payloadcms.com/docs/hooks/collections#beforeoperation) and then restrict the access with the
read
ACL (
https://payloadcms.com/docs/access-control/collections#read). Haven’t done anything similar so if anyone else has more experience on this matter please feel free to share
@thgh - as @Migu said, I would restrict the
read
access directly on your upload collection. You could add a field to your users collection (
roleor similar) to determine who should be able to access the file, and another field on your uploads collection (
protectedor similar) to set whether or not the document is protected.
The read access thing is clear, bit how do I change the filename of an upload?
Is there an example available per chance?
To be clear: I have somewhat guessable filenames now, so the limited collection read access doesn't protect the files from hackers.
Star
Discord
online
Get dedicated engineering support directly from the Payload team..