I am getting really frustrated with the file uploader or the multi file uploader. I think it has a really big privacy issue.
1/ If a user uploads a file on a form but then decides to upload another file or change it, the original file stays in the File Manager.
2/ If a user uploads a file and then decides to leave the form the file is uploaded in the File Manager and it stays there for ever.
There is a similar post about the subject here,
I can’t find a way to save this information anywhere and then delete files that don’t have a reference in the database. Has anyone found a solution for this?
Yes that solution will work. Dealing with files is a bit of a pain, its slightly outside of the simplistic scope of Bubbles “delete a thing” function.
To delete a file or list of files (particularly orphaned files); you will have to create “backend (API) workflows”
However - a real security issue with the File Uploader that I have seen is that, if a malicious user manages to upload a file (.js .exe etc) ; and the Bubble developer displays those files in an image element (under the assumption that the files are of type image) - a visitor to the Bubble website can click the image element (which has no image) and consequently, the file is then downloaded to their computer… @allenyang tagging you here, because I feel this could be an issue that can be resolved from your guys end. Although in fairness, it is our (the website owner/builder) who is responsible to avoid these situations
Thanks for flagging this - I checked in with our Engineering team about it. While what you’re saying is technically true, it is not necessarily the most pressing of security situations. For example, the same situation also exists with the file uploader today (where you might think a .js or .exe file is easier to ‘hide’).
It’s something we’ll think about how to help with. One idea is some kind of virus scanning for uploaded files. Or maybe just a warning for certain kinds of file extensions. We probably won’t address this very soon, but it’s on our radar. Thanks again for flagging!
