APIs & Integrations

mwelch
Exmiembro de HubSpot
Exmiembro de HubSpot

Upcoming: New restrictions on Forms File upload access

What's happening?

We are going to change form file upload urls to require HubSpot users authentication for access/download.

 

New file links will be in the following form: 

https://api.hubapi.com/filemanager/api/v2/files/123/signed-url-redirect?&portalId=123&filename=examp...

We will also change the accessibility of old files. We will update the old file urls on the submissions and contact records. The old, publicly accessible links will cease to work at that time and will return 404 responses.

 

Why is this happening?

HubSpot forms handle a lot of different kinds of information, some of which may be private in nature. To foster trust and ensure proper data handling, we will require HubSpot users authentication to access files uploaded via these forms.

 
When is this happening?

This change is happening on October 16, 2019.

 

Please join the conversation here if you have any comments or questions.

 

Edit (11/07/2019): Link to update on changelog.

72 Respuestas 72
tylerstouder
Colaborador

Upcoming: New restrictions on Forms File upload access

That is excatly what I did.   

mgoswick
Colaborador

Upcoming: New restrictions on Forms File upload access

Can we at least have access to files via FTP? Right now, there is almost no way to actually access the files in a user-friendly way. Had we been given ample notice, we would have downloaded the files before this change.

mwelch
Exmiembro de HubSpot
Exmiembro de HubSpot

Upcoming: New restrictions on Forms File upload access

Hi everyone,

As promised, I wanted to provide an update on where we are with this. The team met today to discuss a couple of possible workarounds for this issue. We don't have anything concrete to report just yet.

Thank you all for your continued patience as we try to find a solution for this. I'll provide an update here when we have something actionable to share.

Thanks,
Matt

0 Me gusta
KeyWestScott
Asesor destacado

Upcoming: New restrictions on Forms File upload access

Sorry to be the sticking point here.  But, its now been 2 days (now after 5pm EST on Friday) since your last update and we still don't have a workable system or even ideas as to how or when we might expect a resolution to this issue.....

 

I assume that HS has a Persona for frustrated customers! ! ! 

 

Scott

tylerstouder
Colaborador

Upcoming: New restrictions on Forms File upload access

Any updates?

mwelch
Exmiembro de HubSpot
Exmiembro de HubSpot

Upcoming: New restrictions on Forms File upload access

Hello everyone,

 

As I mentioned in my last update, our team has been actively investigating potential workarounds for this issue. Regrettably, in order to maintain data security, we have come to the conclusion that we will not allow files that have been uploaded via forms to be accessible publicly.

 

We are currently working on methods to allow these files to be accessed in an authenticated manner, in addition to the currently-available access through a HubSpot-logged-in browser. More information on that will be available later this week.

 

I know this is not the answer many of you were looking for, and am very sorry for any frustration and inconvenience this will cause.

 

Thanks,
Matt

0 Me gusta
zjkaufman
Miembro

Upcoming: New restrictions on Forms File upload access

My organization is dramatically impacted in a similar fashion to those that have commented previously. This change has significantly hindered our operational pipelines, and I do not feel messaging was adequately conveyed nor defended by Hubspot. We have the technical resources to respond to a change in spec/API access, but not the operational bandwidth to compensate for poor management of your functionality.

 

Looking forward to hearing re: a resolution in this thread as the week progresses.

PTPsupports
Participante

Upcoming: New restrictions on Forms File upload access

This is very bad. Like the rest of your upset customers, I will be researching hubspot alternatives and sharing this experience with colleagues, public reviews and social media circles.

 

For now, my work-around is to use gravity forms WP plug-in. The attachments are sent through HS the same way, but via a link sourced from my webserver. This is not ideal b/c it takes up server space and as with all plug-ins, there is a risk of issues popping up. This is also not a fix for my HTML site that we haven't migrated to WP yet.

 

Not looking good Hubspot!

 

 

0 Me gusta
4392087
Participante

Upcoming: New restrictions on Forms File upload access

Have you told your partner integration developers this? You can no longer provide a partnership with these integrations? Very confused on this road block, especially since this prevents automation. Surely if us and our partners can provide a new work around on the API it can still be secured and will lie on our end the protection rights vs HubSpot since it will be sent to another platform and thus out of your hands. 

tylerstouder
Colaborador

Upcoming: New restrictions on Forms File upload access

So in short....our buisness we would have to create an extra 40 users to be able to access these?

KeyWestScott
Asesor destacado

Upcoming: New restrictions on Forms File upload access

Hate to harp on it, but in addition to having to create those 40 new users. As part of this whole issue, of making the process more "secure" you will have to give these new users (as it stands now) access to parts of Hubspot that you most likely will not want them to have access to.  Since HS does not allow a granular application of security rights.

 

We will most likely, if things do not improve, abandon this whole process and look for another provider or methodology of having files submitted to our company.

 

If HS really wanted to beef up security, they could have simply had a means to enforce the types of files being uploaded, ie; not allowing Word/Excel/etc that have imbeded macros....  Poof - More Secure Files.

 

Scott

tylerstouder
Colaborador

Upcoming: New restrictions on Forms File upload access

I know...this might be the reason to push us to salesforce. 

Birgitte
Participante

Upcoming: New restrictions on Forms File upload access

Hi Matt

I just wanted to add that we, when using your application also have a responsibility to ensure the safety of passed files. So in the end it is our responsibility so ensure secure handling. Which is why I believe the roll-back is an appropriate action. Set a disclaimer to stay in the clear. And let us take responsibility of our shared files. 
Best wishes Birgitte

KeyWestScott
Asesor destacado

Upcoming: New restrictions on Forms File upload access

Any chance of you sharing the "workarounds"?  Not to be pesimistic, but the original plans didn't work out too good....

 

Thanks.

Scott

0 Me gusta
mwelch
Exmiembro de HubSpot
Exmiembro de HubSpot

Upcoming: New restrictions on Forms File upload access

Hi Everyone,

Thank you for your continued patience as we work out how to address the concerns that have been raised here. I’m pleased to report that we have a solution that will address many of those concerns while still maintaining the secure environment on which HubSpot prides itself.

Starting Monday, November 4th URLs for files uploaded via HubSpot forms will have new authentication support. The current implementation supports browser-based app authentication, which enables a user logged in to HubSpot on a browser to download files via that browser. On Monday, we’ll add OAuth header and HAPIkey support. So you’ll be able to retrieve files using standard authentication mechanisms.

Also on Monday, we’ll start migrating existing file URLs to this new format and support. This migration may take a day or two.

We strive to deliver a secure, powerful platform on which our customers can build great experiences. We appreciate the passionate feedback we’ve received over the past few weeks on this issue. 

Thanks,
Matt

0 Me gusta
KeyWestScott
Asesor destacado

Upcoming: New restrictions on Forms File upload access

For everyone else that the "fix" is not applicable or workable, what I did was basically to just go back old school and add  "mailto" html code and removed the Hubspot form.

 

I know that for many, getting that infomation into HS is important, so this will probably not be a solution to you.  But, we had to get something working, since there was no workable resolution presented.

 

Scott

PTPsupports
Participante

Upcoming: New restrictions on Forms File upload access

Has this solution rolled out yet?

 

If yes: Hubspot is still requiring recipients to sign into hubspot to view attachments.

If no: I'm confused about how this solution solves anything.

 

Please give us a status update, so we don't have to test it and look like idiots when our superiors ask us what's going on. "Hubspot not updating us" is not an acceptable excuse.

KeyWestScott
Asesor destacado

Upcoming: New restrictions on Forms File upload access

Matt / @mwelch Tried as of today and it seems that no consideration was given for setting up a user account, for file access only??

 

I have a test user that I have given them NO permissions in the Hubspot portal.  Yet, upon logon this user has acccess to:

  • Activity Feed
  • Conversations
    • Inbox and Chatflows
  • Files ( HUGE security hole!!!!!!!!!!!!!!!! )
  • Deals - Can create
  • Tasks - Can Create
  • Service - Can create tickets
  • Reports
    • Analytics Tools
    • Dashboards
    • View Reports

#1 How can a user that has effectively been given NO access rights, be able to access so much of the system?  The files portion is a gaping hole.  They could effectively delete every file in the website...!!!!!!!!!!!!

 

#2 How are we to access these files, SECURELY. Since security  was the motivating factor in this project, there has to be a way to do exactly that.

 

Scott

zjkaufman
Miembro

Upcoming: New restrictions on Forms File upload access

Matt -- 

 

I was glad to read of this solution. Can you offer any update re: rollout? Thank you.

0 Me gusta
mwelch
Exmiembro de HubSpot
Exmiembro de HubSpot

Upcoming: New restrictions on Forms File upload access

As you've likely noticed, new files have the new URL format as of Monday, and existing files are in the process of being moved to the new format.

 

At the same time, we're completing testing of the authenticated download functionality, and will be providing updates and documentation once that is complete. At that time, the files at these new URLs will be accessible via OAuth headers (with the correct scope), API key, and standard, browser authentication.

0 Me gusta
rgmatthes
Participante

Upcoming: New restrictions on Forms File upload access

Just wanted to mention that I'm cautiously optimistic about the solution being rolled out, barring no additional surprises. The update will allow us to deliver our files as needed with minor additional build. We can handle that. We also care about securing the data in these files. We do want to be able to tell everyone using this system that their information is protected.

 

That said, HubSpot really needs to work on a few things here:

 

  1. External communication. When I first called HubSpot about this issue, your support told me this change was communicated to us weeks ago. A post on this form does not constitute communication! Anything that has the potential to adversely affect existing build must be communicated via email to admins, and earlier than a few weeks time (to find and secure developers to update our build). This change wasn't even on your product update blog! You have to understand that businesses have lost real money due to this negligance. This is not just a bug, an annoyance, this is a monetary loss to the businesses you're supposed to be serving. It will affect livelihoods. What's more, you've also completely obliterated our trust. What other core functionality will you suddenly change without warning or workaround? And if you tell us it will never happen again, why should we trust your answer?
  2. Internal communication. I normally really like HubSpot support. This time around, it's clear the change completely caught them offguard too. One person told me the workaround is to programmatically download the file and store it on a separate server, despite that not actually being possible. Another told me there is no planned fix, that this is final state, though clearly a fix was being planned. Today a third rep told me he asked around and found a third-party (paid) app to support our needs, despite your solution being annouced earlier this week (making his idea irrelevant). In short: get it together.
  3. Emailed attachments in workflows. Reading through this chain, I can see much of the pain of this update would have been mitigated if HubSpot allowed attachments to emails sent via workflows. For example, we could have set up a system where submitted forms generated emails (with attachments) that got sent to a unique mailbox, paired with separate automation to upload those emailed attachments to a seperate and internally accessible location. That could have worked for us, but there's apparently no way to send email attachments via workflow. Look at the comments in this thread. So many people are just emailing these files as attachments. Why not listen to your users and implement this basic feature?