File protection level

This is a general remark on the security of files stored in Frappe/ERPNext: any file that is uploaded is publicly available, i.e. if someone knows the URL, he/she can download it even without an account on the ERPNext instance. This could be considered a security issue. Public/private only applies to visibility within the system.

Would it be possible to restrict the file access, has this been considered before?

It would be possible to store files only on other cloud services such as NextCloud, …

Steps to reproduce:

  • upload any file and mark it not public
  • copy the file URL
  • access from another session/machine, …

Actual behaviour: file is available

Expected behaviour: login into ERPNext required (and if the file is not shared with the logged in person, access should be blocked)

I opened these awhile ago with same concerns.

https://github.com/frappe/erpnext/issues/9127

https://github.com/frappe/erpnext/issues/9014

How about using the nginx internal directive to protect direct file access

location /private { internal; }

This will lock browser file access, but the file can still be accessed by the application, and it can check for the login… In this case, the files could remain as files (instead of in the db), but access can be restricted.

A file access module could then handle file requests, e.g.

rewrite ^/private/(.*) /files/$1 last;