Privacy Rule creates a link with an expiry date?

Hello, I have created a privacy rule for uploading files restricted to an admin role, and attached the file to a thing in my DB.

However, the file can still be viewed, and it gives me a URL with an AWSAccessKeyID and an Expires field. This link can still be accessed in incognito without logging in.

How do I completely secure this file?

Any ideas? I’ve tried different variations of privacy rules, but it still seems that the files have a link which can be accessed without needing a specific user role.

Your file is secure if you have set your privacy rules correctly and make file private. This link is only created for the logged in user when this user access the file (and have an expiry date) or from the DB/filemanager

@Jici How do I make it so that in the front end, it doesn’t create this link. Even when I’m logged out and create a workflow to open the file, it still opens with the entire link (expiry date + aws key)

Can you share your uploader settings and your privacy rules?
Do you have a page to test this?

@Jici I don’t have a test page, but here are the settings

Here you can see that it is being attached to the vendor registration field with this dummy file.

image

I created a button on the front end that would open this file on a new tab. Even when I’m logged out, I can click on the button and open the file

In your screenshot… What is the field that store the file?
Also, are you sure that “parent group vendor_registration” have an item set? What if you inspect?

Because according to your screenshot, if the privacy rules is the one for vendor registration, is shouldn’t be possible to see the whole item, not just the file. So if you see the item too, you are logged in…