Closed rickwaltmann closed 1 month ago
freescout-helpdesk
commented
1 month ago You are probably talking about files uploaded to articles. Yes, by default they are available via direct link and for now there is no way to limit access to user agents only. File names for uploaded files have randomly generated names (for example MMlZ0X2g9Byeh9n2zdW7Paj26.txt) which makes it impossible for an outsider to randomly open your uploaded files.
rickwaltmann
commented
1 month ago Thanks for your answer. Isnt it possible to protect a storage folder in Laravel for logged in users only? (see https://dev.to/kennyhorna/restricting-access-to-certain-files-in-our-laravel-app-27gh)
Thats more secure instead of opening the storage folder for everyone. In my opinion this is a mayor problem to solve. (because of safety) What you think? Is this something to fix together?
freescout-helpdesk
commented
1 month ago There are two types of files stored in storage folder: attachments and uploaded files.
See https://github.com/freescout-helpdesk/freescout/wiki/FAQ#freescout-attachments-are-available-via-direct-link
rickwaltmann
commented
1 month ago Okay, thank you. Securing attachments is definitely a good idea. Do I understand correctly that this is already implemented? Or do I need to implement it via the link you sent? I'd also like to apply security to uploads. It would be great if you could simply check a box in Freescout under settings: 'uploads only viewable/downloadable when logged in'. That way, users can choose for themselves. I'll look into how to secure the uploads then.
freescout-helpdesk
commented
1 month ago Do I understand correctly that this is already implemented?
Already implemented.
It would be great if you could simply check a box in Freescout under settings: 'uploads only viewable/downloadable when logged in'.
Feel free to submit a feature request: https://freescout.net/request-feature/
Hello everyone, yesterday I installed Freescout on our server and purchased almost all modules. Nice to give it a try. One of my goals for purchasing was the knowledge base. Now, I have a question about it: even if I set up a knowledge base as 'visible only to support agents', all documents placed in the knowledge base can still be accessed with the URL, even if you're not logged in! A knowledge base is intended for storing critical company questions including workflows and drawings, for example. But if ALL documents can simply be accessed with the original URL, I'm not sure if it's secure enough to expose it to the internet like this. I would appreciate your advice on this.