-
Notifications
You must be signed in to change notification settings - Fork 863
Permissions for file management #143
Comments
I understood the above description as meaning "everyone in the team can upload/download files". But when testing I realised that currently any random user can tamper with files, which makes the feature rather fragile. Would you have any ETA to have at least basic security? Thanks a lot and happy Easter! |
I think at least adding the ability to allow only authenticated users to upload files is really important. As I understand it, right now anyone can upload files and we can't even guarantee who uploaded which file. Even if more sophisticated permissions take longer to implement, it would be a good start to just have the option to restrict uploading to authenticated users and set an uploadedBy relationship on the File so we know who has uploaded what. |
I agree @danmkent. This is a bit concerning and looking forward to an ETA on this feature. Even a partial release where Upload is at least restricted to authenticated users would be a plus :) Liability issues can easily surface if there is malicious intent. Imagine having an s3 bucket open for anyone to upload to.. One could easily use your account to host their own files. |
Very easy, just require a valid Graphcool token for upload. The rest can come later. Now it's a Free For All file storage once you know a projectId, with possible billing issues, and some serious legal implications if anyone decides to upload illegal files to your storage. My temporary solution. I created a webtask as my own proxy, that adds authentication (and encryption), and sets a field on my File Type, and I run a cron job that cleans up all File entries that don't have that special flag set. More details here: https://github.com/graphcool-examples/functions/blob/master/file-handling/file-proxy/auth-file-proxy/README.md |
I am slightly shocked this hasn't been implemented yet. |
Are file permissions on the roadmap? If so what does the time frame look like? |
@marktani Any updates on this? |
This issue has been moved to graphcool/graphcool-framework. |
Currently everyone can upload/download files using the File API. However, the permissions on the file model should be respected.
The text was updated successfully, but these errors were encountered: