- Posts: 10100
- Thank you received: 3589
Welcome to the LimeSurvey Community Forum
Ask the community, share ideas, and connect with other LimeSurvey users!
file upload question: where are the files stored?
- tpartner
- Away
- LimeSurvey Community Team
Cheers,
Tony Partner
Solutions, code and workarounds presented in these forums are given without any warranty, implied or otherwise.
- jelo
- Offline
- Platinum Member
- Posts: 5033
- Thank you received: 1257
To find out the type of files you might try some of these tools:alexgarciac wrote: I can only find out the content of the file in my mac because preview is smart enough as to convert what ever it is and display it. but in windows I just cant find out how to determine the type of file
www.raymond.cc/blog/what-file-is-that-ho...es-types-and-format/
A obfuscation with filetypesuffix in cleartext wouldn't raise the risk of file exposure to third parties that much.
At least not for direct access via URL/path
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
- DenisChenu
- Offline
- LimeSurvey Community Team
- Posts: 13622
- Thank you received: 2489
- Save file elsewhere on the disk (with a cleaner file name, but out of web access)
or
- Save file in DB
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
- holch
- Offline
- LimeSurvey Community Team
- Posts: 11639
- Thank you received: 2738
I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.
- DenisChenu
- Offline
- LimeSurvey Community Team
- Posts: 13622
- Thank you received: 2489
Like i put in the report : i think there are only 2 ways to have a clean upload file system
- Save in DB only : it's more difficult to find it ...
- Save on the server out of web server : need configuration
If anyone are interested by a plugin : 'moveFileUploadToDir' when survey is submitted : i can make an offer.
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
- jelo
- Offline
- Platinum Member
- Posts: 5033
- Thank you received: 1257
The issues around fileuploads storage are always:
1.) Preventing access via guessing a direct link to the file. E.g. when the pattern of the files is widely known.
2.) Prevent access when PHP is not working (correctly). E.g. php code will be displayed in the browser.
3.) Prevent access when Webserver is not working (correctly). E.g. htaccess no longer working.
4.) Make is easy to download file for survey admin.
For me the biggest issue with the current file upload question is the lacking of removing the files when deleting the survey and the database. The whole application gives the user the impression that the uploaded files are gone too.
The uploaded files stay on the server.
An option to config the upload path would be a good idea. That will allow people to move the storage location outside the webroot. Most people won't change it. But security gets improved. Same should be done with the databasebackup during the comfortupdate. These are also at risk of getting downloaded.
BTW: I always wonder why people use LimeSurvey for creating online-forms. Even the simplest address form looks strange with LS (E.g. too much space between the text inputs. No free positioning of fields.)
In public surveys the upload question is not that commonly used.
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
- DenisChenu
- Offline
- LimeSurvey Community Team
- Posts: 13622
- Thank you received: 2489
BUT !jelo wrote: ....
For me the biggest issue with the current file upload question is the lacking of removing the files when deleting the survey and the database. The whole application gives the user the impression that the uploaded files are gone too.
The uploaded files stay on the server.
....
I think upload/survey/XXXX/ directory are deleted when delete a survey, it's not true ? Really a bug here ....
There are code for deleting files when you delete one response : github.com/LimeSurvey/LimeSurvey/blob/ma...els/Response.php#L14
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
- jelo
- Offline
- Platinum Member
- Posts: 5033
- Thank you received: 1257
DenisChenu wrote: I think upload/survey/XXXX/ directory are deleted when delete a survey, it's not true ? Really a bug here ....
There are code for deleting files when you delete one response : github.com/LimeSurvey/LimeSurvey/blob/ma...els/Response.php#L14
I only use LTS. You describe two situations:
1.) Deleting survey
2.) Deleting one response.
The most common scenario is just deactivating the survey and than from time to time doing a "check data integrity".
In that scenario the uploaded files stayed on the server. You can say that is an intended behavior but I doubt many users differentiate between database and file-based responses.
Will check again, but in the last years I always deleted uploads by hand from the server after the survey was deactivated and responses where purged via "check data integrity".
LS should clearly separate deleting of survey (structure and assets) vs. deleting of responses (db and uploads).
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
- DenisChenu
- Offline
- LimeSurvey Community Team
- Posts: 13622
- Thank you received: 2489
Files are deleted when 1 and 2 , not when deactivated.
New checkbox when deactivate ????
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
- jelo
- Offline
- Platinum Member
- Posts: 5033
- Thank you received: 1257
Not sure yet.DenisChenu wrote: New checkbox when deactivate ????
To delete everything when the survey is deleted is a clear concept.
Other tools use that as well, with the difference that you don't have the deactivation. You have pause and can edit the survey during the collection.
LS wording when deactivating is
. So that is the truth. The upload question came later into the game. So perhaps adding a remark at this screen about uploads and the path will be quick fix to the situation.All responses are not accessible anymore with LimeSurvey. Your response table will be renamed to: ....
Technically I would prefer a export routine, which moves the database and the files to a folder, when the survey is deactivated. If the survey is reactivated the feature to reimport data is still possible. If the survey is deleted, all data is deleted.
Currently, if I reactivate the survey, but not reimport the old database the old uploads are still in the same folder as the new uploads.
The uploads are also not in the LSA export / import. Which is an issue from the user point of view. I understand the issues with the sizes. But from the user standpoint the uploads are part of the responses.
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
- DenisChenu
- Offline
- LimeSurvey Community Team
- Posts: 13622
- Thank you received: 2489
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
- Csurvey
- Offline
- Senior Member
- Posts: 41
- Thank you received: 0
As someone (or something like a google robot for indexing ) could reach directly the material in /upload/survey/{SID}/files,
by entering the url in a browser, if i am not misunderstanding (we had a discussion about that a few month ago in this forum) , how would you do to protect that with a simple system login/pwd passed in the url from a question that direct to a file in this folder ?
I did some research about placing the clips in a dropbox or something like that, but there is no way to get a link containing login/pwd that i can fill in limesurvey interface with source for reaching the clip. The only way i know is functioning like that : everytime a clip is reached from this content dropbox, the participant get a window inviting to manually enter the pwd, or to enter once and indicate to the browser to record it.
I mean, i will have a survey with short clips that would be uploaded in /files, my participants are informed that they do not have the right to share this material i have the right to use for this survey but i do not own; but someone else or google could reach and index this url. Could i password protect the/files folder and a subfolder in /files, putting somewhere in the limesurvey question the login/pwd ?
It will be visible for my participants only, and that would be the best solution for me because they sign an agreement about not sharing files, so if they see the login/pwd in the url that is not a problem, but it would be like i want, not accessible for someone else scrawling the repertoire ?
Many thanks,
Best,
Chris