Hi,
currently if a user uploads a file to the form, the file gets saved in the uploads folder. The folder could be potentially seen by anyone. This is how you configure file uploads in the admin panel:
I propose to replace upload folder configuration with a file upload endpoint that only logged users with enough permissions can use. The endpoint would accept:
1) HTTP POST - with file passed as a body to upload a file,
2) HTTP GET - with file ID passed as a parameter to download the file.
Imho it's an easy way to replace the existing solution with something safer.
Hi, currently if a user uploads a file to the form, the file gets saved in the uploads folder. The folder could be potentially seen by anyone. This is how you configure file uploads in the admin panel:
I propose to replace upload folder configuration with a file upload endpoint that only logged users with enough permissions can use. The endpoint would accept: 1) HTTP POST - with file passed as a body to upload a file, 2) HTTP GET - with file ID passed as a parameter to download the file. Imho it's an easy way to replace the existing solution with something safer.