Unprotected submitted files and pictures in filer_public - make use of diavo/django-filer

[FSE-DEV]

trafficstars

Currently all files and pictures transmitted through aldryn-forms are stored somewhere within the media/filer_public folder, thus available unprotected to the public / everyone who knows or guesses the randomly created link.

Since django-filer is a requirement of aldryn-forms already and already capable of protecting files, I strongly suggest to make both add-ons collaborate to their full potential.

When installing the aldryn-forms add-on or even better at the individual form level, a choice should be given to have the submitted data protected from public access, i.e. accessible only when logged-in - this is crucial for many use cases with critical data!

[jmelett]

@stefanfoulis IIRC @Chive mentioned once that he addressed this issue by using a custom bucket via django-storages.

[Chive]

Yes, it's quite easily achievable in general:

First, install and configure https://github.com/etianen/django-s3-storage. Then:

# initialize the storage
from django_s3_storage.storage import S3Storage
safe_storage = S3Storage()

# use it in your model
class MyModel(BaseModel):
    uploaded_file = models.FileField(
        _('Uploaded File'),
        blank=True, null=True,
        storage=safe_storage,
        upload_to='uploads'
    )

I'm unsure about this is best integrated with aldryn-forms though :-)

[czpython]

Agreed, filer already has public/private file handling (or at least a branch once did). Best would be to reuse that.