Clarified upload usage and security considerations

This commit is contained in:
Ingo Schommer 2015-08-28 10:11:43 +12:00
parent 5288c4d441
commit abae27f41f
2 changed files with 27 additions and 0 deletions

View File

@ -19,6 +19,29 @@ After installation, make sure you rebuild your database through `dev/build`.
You should see a new PageType in the CMS 'User Defined Form'. This has a new 'Form' tab which has your form builder.
## File Uploads and Security
The module allows adding a "File Upload Field" to a form,
which enables users of this form to upload files to the website's assets
so they can be viewed later by CMS authors. Small files
are also attached to the (optional) email notifications
to any configured recipients.
Allowed file extensions can be configured globally through `File.allowed_extensions`,
and default to a safe set of files (e.g. disallowing `*.php` uploads).
The allowed upload size is determined by PHP configuration
for this website (the smaller value of `upload_max_filesize` or `post_max_size`).
Since uploaded files are kept in `assets/` folder of the webroot, there is no built-in
permission control around who can view them. It is unlikely
that website users guess the URLs to uploaded files unless
they are specifically exposed through custom code.
Nevertheless, you should think carefully about the use case for file uploads.
Unauthorised viewing of files might be desired, e.g. submissions for public competitions.
In other cases, submissions could be expected to contain private data.
Please consider securing these files, e.g. through the [secureassets](http://addons.silverstripe.org/add-ons/silverstripe/secureassets) module.
### Custom email templates
If you want to use custom email templates set the following config option.

View File

@ -111,6 +111,10 @@ The folder that this field uploads to can be customised by selecting "Show Optio
and then selecting a new folder from the "Select upload folder" option. If no folder
is selected it will upload by default to the "Uploads" folder.
Only certain file extensions are considered safe for upload,
e.g. webserver script files will be denied but images will be allowed.
The webserver environment also imposes a limit on file size by default.
#### Heading
Selecting a Heading allows adds a place where you can put a heading for a form, or for