Currently if the Public file system is in use for the storage webform uploaded files, those files are publicly accessible to those who have know the URL prior to the full submission of the webform.
My client has requested that I investigate an alternative without changing the file system to private.
The incoming patch(es) does the following:
- Adds an option to have the file stored in the temporary scheme prior to submission.
- If option is in use, files are uploaded the `temporary://webform/...`
- If option is in use, upon the full submission, the file is "renamed" and moved to it's final destination.
Patch(es) incoming.
Comments
Comment #2
Deciphered CreditAttribution: Deciphered as a volunteer and at Realityloop commentedFind attached patches, one against dev, one against stable (for client usage).
Comment #4
Liam MorlandThanks for the patch.
This may need changes because of #2816303: File upload destination should be private files by default if available.
The change to webform.module could just be a change to the conditions of the above 'if' statement.
Under "Save the file to the temporary file system" and in other places, you can use !empty(). Remove the spaces before "temporary_scheme".
It would be great if this had some tests.
Comment #5
Liam MorlandComment #6
alex.skrypnykRe-rolled #2 against 7.x-4.20
Comment #7
smd_ksu CreditAttribution: smd_ksu commentedThis works great but how do I get the temporary, non-submitted files deleted? They remain even after cron run.
Comment #8
smd_ksu CreditAttribution: smd_ksu commentedSounds like maybe temp files don't get removed until 6hrs later. Will monitor this.
Comment #9
Liam MorlandThere is more information about file deletion in change record "Files that have no remaining usages are no longer deleted by default".
Comment #10
smd_ksu CreditAttribution: smd_ksu commentedFollowing up to confirm the files did get deleted. Great patch. Thanks
Comment #11
Liam MorlandWhy did you switch this to "Needs work"?
Comment #12
smd_ksu CreditAttribution: smd_ksu commentedI think the comment just defaulted to that status. Not on purpose.
Comment #13
ctlopez CreditAttribution: ctlopez at Principal Financial Group commentedI have been struggling with the same problem this patch is for. I have implemented the patch and it looks like it is successfully loading files to the temp location as specified. Two caveats to it though: first as an admin when I go out to the Administer files tab, the temp files still appear. This is remedied by changing the filter to only show public files - not a huge issue but it was a bit confusing until I figured it out.
Secondly, the upload button doesn't appear to work - and I mean that literally. When I as a user select a file to upload and the temporary file structure check is enabled (as per this patch), when I click the upload button to upload a file the button becomes locked, as if it is processing. However, when I go in and check the files as an admin I am able to see the file submitted. So the upload button works but to an end user it appears as if it isn't and thus could cause form reloads or users to give up on submitting the forms. I think that needs to be looked at further.
Comment #14
alex.skrypnykRe-rolled for version 7.24 of Webform
Comment #15
Liam Morland@alex.skrypnyk Thanks for the patch. Does this address the issues raised in #13?
Please put the patch into a merge request.
Comment #16
Liam MorlandMy comments in #4 still apply.
Does this address the issues raised in #13?
Comment #17
solideogloria CreditAttribution: solideogloria commentedComment #18
solideogloria CreditAttribution: solideogloria commentedThis is actually a core issue.