Security issue - Attached files

Hey guys,

As I work more and more with ERPNext getting used to it for our organization and making sure its a good fit (I think it is amazing) I still need to make sure its a robust and secure system as it is one that handles very sensitive information such as social security info, address, bank info etc.

The issue I found was attached documents to users(or anthything for that matter)

It uploads them as the filename (ex. contact.doc) so then the URL attached to the user is erp.mywebsite.com/files/contact.doc

The issue is this URL can be relatively easy to guess and is accessable to download from un authenticated users. I copied the URL to another browser and the download began immediately.

I think the best solution would be no access unless logged in or authorized. Or at the very least rename the file to some random hash.doc/pdf/filename.

Please let me know what you think, if there is some setting somewhere I missed that could be the issue too

Thanks again for your support and such great software.

Best,

A agree this is a serious issue. My client wants to attach sensitive documents like blueprints; something that shouldn’t be accessible to other users in the system, let alone the public!

I believe the correct way to handle this would be to store the files in a non http accessible location; Files would have to be requested and streamed via the framework, not served directly by the web server. Frappe needs to validate the request for the file!

Here’s a discussion on the topic:

In 2020 have any solution?