APIs & Integrations

mwelch
HubSpot Alumni
HubSpot Alumni

Upcoming: New restrictions on Forms File upload access

What's happening?

We are going to change form file upload urls to require HubSpot users authentication for access/download.

 

New file links will be in the following form: 

https://api.hubapi.com/filemanager/api/v2/files/123/signed-url-redirect?&portalId=123&filename=examp...

We will also change the accessibility of old files. We will update the old file urls on the submissions and contact records. The old, publicly accessible links will cease to work at that time and will return 404 responses.

 

Why is this happening?

HubSpot forms handle a lot of different kinds of information, some of which may be private in nature. To foster trust and ensure proper data handling, we will require HubSpot users authentication to access files uploaded via these forms.

 
When is this happening?

This change is happening on October 16, 2019.

 

Please join the conversation here if you have any comments or questions.

 

Edit (11/07/2019): Link to update on changelog.

72 Replies 72
KeyWestScott
Key Advisor

Upcoming: New restrictions on Forms File upload access

Amen to all points, but mostly #3!

 

And then to add a #4 - Have a disaster / fall back plan.

 

Scott

0 Upvotes
KeyWestScott
Key Advisor

Upcoming: New restrictions on Forms File upload access

Matt, so this "user", what security within HS will this user have/require?  Remember, that for most of the folks that have commented here, this user, will have no other responsibility/duties/needs other than to retrieve the file.

 

Without a locked down security profile, this is no more secure than whatever the perceived sercurity risks (that I've yet to find an explanation behind) that brought on this original change.

 

For our application, our process is fairly simple (I do understand that others have more complex setups).  

 

Job resume submission - 

  1. Applicant fills out a form and attaches file to the form
  2. HS takes the form information and file and emails it internally to our HR representative
  3. Representative opens/retrieves the file.

Easy Peasy.....  I do not want this person to have any access to any part of the HS platform outside of getting this forms information and file.  No access to any dashboards, reports, marketing, social - Nothing, Nada, Zilch.

 

Scott

 

cjisndenial
Participant

Upcoming: New restrictions on Forms File upload access

Scott we did that for a while before we got our automation working. We setup a user who had every permission turned off except files. They could log in to hubspot but basically had a blank UI. They couldn’t even navigate to the Files UI. But they could click the file links in form submission emails and retrieve those.
0 Upvotes
tylerstouder
Contributor

Upcoming: New restrictions on Forms File upload access

@cjisndenial  -

 

This wouldnt work for a large company like ours.  We aren't goin to create a large number of logins and expect our team to try to remember another password for a software that is irreleavant to them to use. 

 

0 Upvotes
jlgrogan22
Participant

Upcoming: New restrictions on Forms File upload access

This was a poorly thought through change. 

 

A binary on/off change should have been more proactively communicated and with far greater advance notice. Further, a binary on/off change should have had a transition period.

 

For example: Upon rollout, there might have been no change for existing customers. However, existing customers might have been given option to elect the feature. After six months, the feature might then have become manadatory for all. This would have allowed customers to test the change and provide needed feedback to Hubspot. 

 

At the moment, our integrations are broken. It appears no thought was given to the use case of programmatic / API-driven download of files from Hubspot. No documented means of authentication allows for programmatic download.

 

Prior to changing existing functionality, community feedback should be solicited. Had feedback been solicited, the full set of use cases to be supported might have been appreciated prior to implementing such a change.

 

First, do no harm.

cjisndenial
Participant

Upcoming: New restrictions on Forms File upload access

Well I just wrote a nice long note explaining the issue we're having with this new endpoint, and it has been deleted as spam.  😞  So I'll write a shorter version and see if sticks.  🙂

 

We have a service that receives a webhook when a user fills out a form on our HubSpot CMS site.  The form includes a file upload.  The files URLs now have the new format.

 

Unfortunately, our service can't retrieve files anymore since this change.  Adding our HAPI to the querey string doesn't help.  Using OAUTH headers on the request doesn't help.  No matter what, our service is sent to a login page meant for a human and dies with a 503.  

 

We can call https://developers.hubspot.com/docs/methods/files/get_files_file_id with the filename and see information about the file.  But there's no longer enough information in that API response to get a working download link either.  😞

4392087
Participant

Upcoming: New restrictions on Forms File upload access

We have the same problem happening. Our integration webhooks, who are supposedly partners with HubSpot, are having difficulties finding a solution. All the "solutions" we are receiving is to come back to this thread. What HubSpot is telling us is that they made a change, and we just have to accept it. They are not willing to work to find a solution after they made a change when they realized they weren't securing peoples information aka file URLs. 

 

Whats the point of HubSpot saying they work with other systems when obviously they are not compatable or willing to help? Will all of us having an issue have to say goodbye to HubSpot? I don't see HubSpot actively working on a solution and am dissapointed. It has been a week since this change has occured and many of our systems are now delayed and we have to workaround manually with a company that preaches automation. 

KeyWestScott
Key Advisor

Upcoming: New restrictions on Forms File upload access

@mwelch Can you please comment on this?  As you can see this is causing your CUSTOMERS a great deal of grief, confusion and uncertainty.   We are a least due a response.  Even if it's a simple #GetOverIt...... ( though that wouldn't be acceptable LOL)

 

Scott

mwelch
HubSpot Alumni
HubSpot Alumni

Upcoming: New restrictions on Forms File upload access

Hi All,

 

I don't have the perfect answer for you right now, but I wanted to let you know that we hear you and are actively investigating workarounds. At the moment, I don't have a solution to provide you, nor can I promise that we'll be able to provide a solution.

 

We made this change because data security is of paramount importance to HubSpot. We understand, though, that this change has caused pain and the team is assessing alternative options now. I will update this thread tomorrow on any progress/updates.

 

Thanks,
Matt

0 Upvotes
KeyWestScott
Key Advisor

Upcoming: New restrictions on Forms File upload access

@mwelch Looking for a solution?????

 

Rolling back the changes IS the solution! ! ! 

 

You are causing many business' time, effort and money to fix something that wasn't broken!

 

Scott

Nath
Member | Diamond Partner
Member | Diamond Partner

Upcoming: New restrictions on Forms File upload access

@mwelch Thanks for the update - looking forward to a speedy resolution.

0 Upvotes
cjisndenial
Participant

Upcoming: New restrictions on Forms File upload access

My company is also impacted by this change and the lack of appropriate notification.  Contacting support simply resulted in us being directed to this forum post with a promise of resolution or workaround tomorrow. I'm a bit worried that our specific use case may not be fully understood, so I would like to lay it out here. ..

 

Our website is based on HubSpot CMS and contains a form where potential employees can apply to jobs.  The application is taken as a hubspot form, and resumes are attached to that form submission as files.

 

We run a service that receives a webhook from HubSpot every time the form is submitted.  It takes the applicants information and shuttles it to our applicant tracking system.  The resume file itself is not included in the webhook, rather a link to the resume is included.  Our service downloads the resume from HubSpot using that link, uploads the resume to our applicant tracking system, and then uses the HubSpot filemanager API to delete the resume file from HubSpot.

As of October 19, our service is no longer able to download the resumes from HubSpot.  The URL scheme included in the webhooks has indeed changed to something that looks like this:  api.hubspot.com/filemanager/api/v2/files/18952347353/signed-url-redirect?portalId=IDREDACTED&filename=FILENAMEREDACTED.pdf

 

We've tried adding our HAPI parameter to the querey string, and we've tried sending an OAUTH 2.0 authorization token in the request headers, none of which are accepted by this API endpoint.  No matter what we do, the URL redirects our service to a login page meant for a live user, which results in a 503 Service Temporarily Unavailable.  No good.

 

This is a critical business process for us that must be fixed urgently.  Your support is greatly appreciated.  

AirswiftRob
Contributor

Upcoming: New restrictions on Forms File upload access

We have also been impacted hugely by this change - without any forewarning or explanation of the issue. We moved our CMS to HubSpot from Wordpress in order to improve teh integration of our systems. However, we need to be able to send resumes uplaoded to a CV parser for our recruitment application tracking system. We had a workaround via a partner but this has been switched off.

 

This has a dramatic impact on our business and questions the viability of moving to HubSpot

 

Please find a solution urgently

christinaboatwr
Participant

Upcoming: New restrictions on Forms File upload access

Well if the pictures are already posted on my blogs, will they not be fixed.  Do I need to go through all of my blog images that I have acting up and change them?  I have no idea which pictures there were that were uploaded to forms.  I will have to start over?

 

Thank you,

 

Christina

0 Upvotes
christinaboatwr
Participant

Upcoming: New restrictions on Forms File upload access

In my opinion, having to go through all of my blogs and replace the pictures is quite cumbersome and you guys should have had a resolution to solve this problem.  Maybe a "grandfather" in old fils resolution.  

 

0 Upvotes
Lmartin
Participant

Upcoming: New restrictions on Forms File upload access

Hi, 

 

We encounter some major issues with this rollout. As we are sharing and sync files' links for various internal processes and over a long period of time, we are now facing important issues since none of these links work. Also, we won't create a Hubspot account to all concerned colleagues. 

 

I asked your support if there is a way to have at least link redirection from the former download URL to the new ones (even with log-in restriction), the answer was no. Have you any workaround solution to have the legacy links working?

 

We are very disappointed with this change.

 

Birgitte
Participant

Upcoming: New restrictions on Forms File upload access

We have some forms where a customer can upload a file (img+pdf) to share with us. This is with the Field typoe “File" in Property.
These files are being passed on to our co-workers and partners via workflows. But after your changes the files cannot be opened without being logged in to HubSpot.

It is not a solution for us, to create users for the partners, when they receive file-links from us.

In our forms the customer agrees that we can handle the information they give us, so could you please make an alternative to the limitation you have created with this restriction? We need to be able to pass on attached file-links to Partners and co-workers.

 

I really hope you will look into this.

Best wishes

Birgitte Kjær Hansen

Denmark

chandirabose
Member

Upcoming: New restrictions on Forms File upload access

Since this change was made, we couldn't access the files using hubspot API call and I hope the API calls are authenticated one to access the file. Do you have any solution for the hubspot API customers to access the files ?

Nath
Member | Diamond Partner
Member | Diamond Partner

Upcoming: New restrictions on Forms File upload access

This has had severe implications to our entire customer experience and onboarding process, we need a solution HubSpot. What's the point of an open API if it's closed.

KeyWestScott
Key Advisor

Upcoming: New restrictions on Forms File upload access

@mwelch Like others that have commented.  There was no notice that this was being done and no guidance on how to accomodate this radical change.

 

Our users that receive these files have NO NEED what so ever to have any access to HS (other than this rediculus mandate).  What access do we have to grant to these new users, that will ONLY  grant them access to this "file feature" and nothing else. No reports, no dashboards, no sales, no marketing, NO NOTHING!!!

 

Your current user security setups are much more of a security threat, ie too lax, than any percieved threat.

 

Scott

PTPsupports
Participant

Upcoming: New restrictions on Forms File upload access

Agreed! I don't want to add 30+ people to our hubspot account. Also, there are still glitches b/c when the users I added (b/c of this update) log in, they can only see submissions from 10/15 and earlier. I had to send them a link to the submissions for each form to view the latest.

 

I personally think why did you have to mess with something that was working great?? Or why not just add this measure to the customers that need extra security?? 

 

This change has highjacked my week and I'm having to figure out a solution... my thoughts are dump hubspot, but again that will take a ton of work to migrate my web forms. Hubspot needs to figure out a solution... don't just respond apologizing, that doesn't help me!