Currently if the Public file system is in use for the storage webform uploaded files, those files are publicly accessible to those who have know the URL prior to the full submission of the webform.
My client has requested that I investigate an alternative without changing the file system to private.
The incoming patch(es) does the following:
- Adds an option to have the file stored in the temporary scheme prior to submission.
- If option is in use, files are uploaded the `temporary://webform/...`
- If option is in use, upon the full submission, the file is "renamed" and moved to it's final destination.
Patch(es) incoming.
Comments
Comment #2
decipheredFind attached patches, one against dev, one against stable (for client usage).
Comment #4
liam morlandThanks for the patch.
This may need changes because of #2816303: File upload destination should be private files by default if available.
The change to webform.module could just be a change to the conditions of the above 'if' statement.
Under "Save the file to the temporary file system" and in other places, you can use !empty(). Remove the spaces before "temporary_scheme".
It would be great if this had some tests.
Comment #5
liam morlandComment #6
alex.skrypnykRe-rolled #2 against 7.x-4.20
Comment #7
smd_ksu commentedThis works great but how do I get the temporary, non-submitted files deleted? They remain even after cron run.
Comment #8
smd_ksu commentedSounds like maybe temp files don't get removed until 6hrs later. Will monitor this.
Comment #9
liam morlandThere is more information about file deletion in change record "Files that have no remaining usages are no longer deleted by default".
Comment #10
smd_ksu commentedFollowing up to confirm the files did get deleted. Great patch. Thanks
Comment #11
liam morlandWhy did you switch this to "Needs work"?
Comment #12
smd_ksu commentedI think the comment just defaulted to that status. Not on purpose.
Comment #13
ctlopez commentedI have been struggling with the same problem this patch is for. I have implemented the patch and it looks like it is successfully loading files to the temp location as specified. Two caveats to it though: first as an admin when I go out to the Administer files tab, the temp files still appear. This is remedied by changing the filter to only show public files - not a huge issue but it was a bit confusing until I figured it out.
Secondly, the upload button doesn't appear to work - and I mean that literally. When I as a user select a file to upload and the temporary file structure check is enabled (as per this patch), when I click the upload button to upload a file the button becomes locked, as if it is processing. However, when I go in and check the files as an admin I am able to see the file submitted. So the upload button works but to an end user it appears as if it isn't and thus could cause form reloads or users to give up on submitting the forms. I think that needs to be looked at further.
Comment #14
alex.skrypnykRe-rolled for version 7.24 of Webform
Comment #15
liam morland@alex.skrypnyk Thanks for the patch. Does this address the issues raised in #13?
Please put the patch into a merge request.
Comment #16
liam morlandMy comments in #4 still apply.
Does this address the issues raised in #13?
Comment #17
solideogloria commentedComment #18
solideogloria commentedThis is actually a core issue.
Comment #19
solideogloria commentedTargeting most recent branch. I would still love to see a solution to this problem.
Comment #20
jrockowitz commentedThis request seems like an edge case. I don't think we should implement this feature in the core webform module.
I think you can use
hook_file_access()to allow anonymous access to private webform files that are permanent.