You need to sign in to do that
Don't have an account?
Security flaw? All attachments accessible to visitors
Do you use salesforce force.com site?
And do you have attachments on any of your objects?
If so, any visitor can access any of your attachments by typing this url in their browser.
http://{yoururl}.na14.force.com/servlet/servlet.FileDownload?file={attachment.Id}
All they have to do is guess the id. Which by the way is the easiest thing in the world to do since they are sequential numbers.
No authentication is required.
I just escalated a case to salesforce and they told me its working as intended o_O. I was told that since you can mark the attachments as "Private", no fix is required. Hovewer, marking the attachment as private essentials kills the attachment functionality because no one except the owner or the admin can read them. Also, by default all attachments are public.
This does not seem right secure at all to me. Is there a way to control the access to the attachements when you are using a force.com site?
If I give the read permission to the account object for the site user, I definetly do NOT want a random visitor to clean my salesforce organisation of all its attachment, zip them, then post them on some shade website. What if I attach a credit card PDF to an account?
I've been unable to reproduce this. Do you have a case # i can look at ?
Case Number: 09031212
ram, that is correct. They are marked public because I need to share them within my organisation. Marking them as private makes it so only the owner and system admins can read them. This does not work since the attachments are medical reports and any healthcare personel need to access them. That is not the problem however. The problem is that anyone can guess the url by changing just 1 character. This is similar to the recent yahoo hacking where a mallecious user simply changed one or two characters in the URL and could access other people's emails.
Edit the folder properties of the containing folder and set the access to all internal users - you have a bunch of choices here and will probably need to list all the roles within your Org that need access and restrict it to those roles. This works if all your users are "internal " to Salesforce i.e., not coming in thru' Force.com sites.
Ram
Ram, I will give it a try. Can you give me a little bit of guidance with folders and attachments. I was aware that documents have a containing folder. But the attachment objects does not have a folderid field. Is there a default folder that every attachment gets put into? Or do I need to convert all my attachments to documents in order to use this solution?
Ram
Thank you for offering this solution. However the nice thing with attachments is that they can be associated to an account, whereas documents are not. In the case of medical reports we of course want them to be associated to account and not just floating in the system.
Alex, Sure - makes sense. Question - are accounts accessible from you Force.com Site? If they don't have to be, try making them No Read access on the site. That should prevent the attachments on accounts from showing up as well.
Ram
Ram, the problem is that I am trying to make a access portal where physician can download their patients report. If I set the object that is containing the attachment to unreadable, this will defeat the purpose. What I have done is that I have created a custom object called report whose sole purpose is to hold the attachment. This object is set to unreadable.
Then, I have created an amazon instance and coded a java remote access program to serve reports from the salesforce platform in a secure manner.
Best,
Ram