Hello,

I have a site that needs users to be able to post documents about themselves to the site via a form. While the information isn't very sensitive, I wanted to take the extra step of setting up a secure folder type to be sure that the information is secured as much as possible.

I set up a secure file system folder and directed the upload fields to send the file there. I noticed that while the files are going there, they are also going to the default \DynamicForms_Uploads folder. Directory browsing is disabled, but a file name could still be potentially guessed.

Is there any work arounds for this? If I deleted the auto-generated DynamicForms_Uploads folder and recreated it with a secure file type, would that cause problems? For that matter, if I wanted to secure the
DynamicForms_Exports folder the same way would that be possible?

I am using the friendly names--which I could change to make guessing a file name that much harder. Still, I would like to be able to protect those files from access as much as possible.

Does anyone have any recommendations?

Thanks,

Billy

Hi Billy - The current version of Dynamic Forms does not currently support Secure File Folders. There are a few reasons why but the specific reason why is because once you do this, then you can no longer access files from the standard method but you must "Always" use the "LinkClick.aspx" tool to access those files. Basically this occurs for any folder within DotNetNuke as this is the only way within DNN you can secure files. We are working on a method for allowing this where we handle the code in a similar way (using FileID as a number in reference to the Files table) however this feature is not currently part of the module at this time unfortunately.

One thing you can usually do is ask Google note to ever try and index anything within those directories (not that they would anyway unless it was a hyperlink somewhere on your site). You can do use this by updating your robots.txt file.

I would also argue that using the "Unique / GUID" filename is actually just as secure as the file upload within the secure file. I guess I couldn't say "As secure" because if the user were to ever see a hyperlink in an email and saved it then they could always access that file, but the filename itself (a GUID) is generally used as a primary key because the value is so unique.

http://en.wikipedia.org/wiki/Unique_identifier


Thanks!

-Chad

Hi Chad,

Thanks for the reply. I'll switch from the friendlyname to a system generated file to see if that helps.

I removed the secure folder(s) as the alternate upload folder and replaced them with a standard folder. After testing it out my files still go to the alternate folder, but also the default DynamicForms_Uploads folder. Is that the expected behavior?