Closed micschk closed 6 years ago
Sure, this is why I didn't handle that so far :-)
In filepond sample backend, they generate a unique id so it's very unlikely so you can spoof existing files.
I don't like sessions in general because they expire, they lock php processes, etc. Probably using uuids instead should be more than enough.
I have a module doing that but it's not updated to SilverStripe 4 yet https://github.com/lekoala/silverstripe-uuid (it should be really straightforward to upgrade)
just to let you know that I added the change on master, I'm using session and I think it works ok.
It occurred to me that (especially in a front-end scenario) having a hidden field with just a file-id as a value poses a possible security issue as anyone could spoof the ID and attach/'upload' any (existing) file as his own.
I can think of two ways to prevent this;