# 4.3.5 Embedding files with shortcodes (`FileShortcodeProvider`) no longer provides a session grant by default. This is because it has the potential to escalate file access to users who otherwise should not have viewing permissions for the file. There is a minor performance trade-off for disabling these grants. If you have a page with a lot of images that are in a draft state or have custom viewing permissions, it adds an extra database query for each embedded image. With session grants enabled, the first permission check persists the grant into the session, meaning there is no need to query the database on every single file. Unless you have a lot of shortcode images embedded with protected or draft status on a single page, this setting is best left to its default value of `false`. To revert to the old behaviour: ``` SilverStripe\Assets\Shortcodes\FileShortcodeProvider: allow_session_grant: true ``` ## If you were using the versionedfiles on your 3.x site This release includes a security fix for users who migrated from a 3.x site that used the [versionedfiles](https://github.com/symbiote/silverstripe-versionedfiles) module. The file migration would have left the `_versions` folders in your public filesystem as artefacts, leaving all the unpublished versions of your old files publicly accessible under a guessable URL. To work around this, you can use the `VersionedFilesMigrationTask`: `$ vendor/bin/sake dev/tasks/migrate-versionedfiles strategy=[delete|protect]` If you choose the `delete` strategy (default), the task will delete all `_versions` files for you. Be sure to take a snapshot of your `public/assets` folder before doing so. If you choose the `protect` strategy, the task will drop an `.htaccess` file in your old `_versions` directories. **This method only works if you are using Apache to serve your static files**. If you are using another server such as Nginx, these files will remain publicly exposed. It is recommended you use the `delete` strategy if you are not using Apache.