Uploaded file can still be seen with URL despite privacy settings

Hi, I’m building an app where users can create new products and attach data sheets. I’ve set the multi-file uploader to private and attached it to the product. In my privacy settings for the product, I’ve selected that only if the current user is the owner of this product or if the current user is admin, they can see the product including the file upload.

For everybody else, I’ve unselected all permissions (including viewing attached files).

On the page “app data”, I can see the files that were uploaded and they are attached to the products. For the purpose of testing, I’ve selected the URL linking to the document and tried to access it from other browsers and incognito tabs. All the documents can be accessed even though I’m not logged in the other browsers and the incognito tab. I’ve seen that there were also another user having the same problem, but there were no answers provided. I’d very much appreciate your help, as this “security through obscurity” mechanism is really not good enough for secure operation.

Check this reply (and the whole thread is worth reading too):

1 Like

This topic was automatically closed after 70 days. New replies are no longer allowed.