Upcoming: New restrictions on Forms File upload access

mwelch
HubSpot Alumni
What's happening?

We are going to change form file upload urls to require HubSpot users authentication for access/download.

 

New file links will be in the following form: 

https://api.hubapi.com/filemanager/api/v2/files/123/signed-url-redirect?&portalId=123&filename=examp...

We will also change the accessibility of old files. We will update the old file urls on the submissions and contact records. The old, publicly accessible links will cease to work at that time and will return 404 responses.

 

Why is this happening?

HubSpot forms handle a lot of different kinds of information, some of which may be private in nature. To foster trust and ensure proper data handling, we will require HubSpot users authentication to access files uploaded via these forms.

 
When is this happening?

This change is happening on October 16, 2019.

 

Please join the conversation here if you have any comments or questions.

 

Edit (11/07/2019): Link to update on changelog.

72 Replies 72
tylerstouder
Participant

Can someone share how to do this without a developer resource?

0 Upvotes
mwelch
HubSpot Alumni

We have published some sample PHP code that may help folks get started in working with this new secure download mechanism.

 

https://github.com/HubSpot/integration-examples-php/tree/master/form-submission-file-download-app

0 Upvotes
KeyWestScott
Key Advisor

Per step #1....  "Listen for a webhook for the file upload field (customer-defined, but similar to this"

 

I've been listening all weekend and didn't hear a thing.  Other than complaints from staff, that they can't get the files they need.

 

Scott

hollyeg
Member

This has been a big problem for our company. The forms are a great way for our customers to share special circumstances with the sales team. The customer makes the choice to send , and the expectation is that the sales team will receive it.

 

It caught us all by surprise. The "fix" is to make the whole sales team "users." This opens us up to all kinds of problems. Instead of being more secure, we are all less secure.

 

Please fix this.

Birgitte
Participant

I couldn't agree more. The security is severely downgraded.
br. Birgitte

4392087
Participant

We have continued to work with our integration host, Zapier, and the biggest setback to this change seems to be that the authorization token expires too quickly. On the developers page, it seems that an authorization token should last six hours but during the change process we are logged out and cannot access the file. 

 

It is frustrating to think we have a solution, or HubSpot will assist in a solution, but there seems to be problem after problem and no end in sight. it has been almost two months since this change took place, with a shoddy implementation plan that has left many customers frustrated and broken our automations. 

 

I am concerned that HubSpot is not doing anything on their end to help their integration partners find a solution.

0 Upvotes
VoiceofCustomer
HubSpot Employee

Hi Everyone!

 

I wanted to let you know that the product team is aware of the concerns on this thread and actively working on it. Thank you for your continued patience.

 

-Amanda

 

KeyWestScott
Key Advisor

I sincerely hope so.  Even after all this time, my HR staff came to me just this week, asking when or if Hubspot was going to fix this.

 

Scott

0 Upvotes
morganmcgee
Contributor

Adding to this thread as well. We have forms in which members can upload their headshots. We had previously used the API to transfer the headshots to our platform, but this update broke that process. Looking forward to a fix.

0 Upvotes
sunjan
Participant

Hi!

HS support staff sent me here.
Our problem is related to the security change.

We have a web form where customers upload files for us. We process the files and are expected to delivery it back to the customer with the exact same file name.

 

But Hubspot alters the name and adds a unique ID in frot of the file name. This means extra work for our staff having to edit all file names.
If we don't edit the name, our Windows folder/file name length becomes too long (more than 255 characters) and it breaks the tools we use to process the file.
The altered file name is a dealbreaker for us.

HS support referred to the security aspect mentioned by @mwelch. But since the file is still only available for the user after logging in, I don't see how the file name itself would make any difference security wise. Other file download/upload services has managed to solve this while keeping the name intact, so I don't see why Hubspot shouldn't.

KeyWestScott
Key Advisor

Just  a quickie here.  And in my opinion, I wouldn't expect HS to do anything to remedy this/your situation.  They made this decision, seemingly, without much thought or planning as to how it would effect their customers and it's basically now a "hands off" development, that will not be changed.  

 

As I'm sure you read in this thread, a lot of companies were adversely effected by this change and the prevailing thoughts from them are "too bad" - this is the way it is......

 

Scott

narjune1
Member

Hello Good Morning, so with this new URL format, is there an actual image URL within the signed-url-redirect link, or can you only access it through the redirect? Meaning this URL from hubspot is having a redirect:

 https://api.hubspot.com/form-integrations/v1/uploaded-files/signed-url-redirect/26400117056?portalId...

 

and this other random image URL does not, it simply provides the image: 

https://via.placeholder.com/300.png/09f/fff%20C/O%20https://placeholder.com/

0 Upvotes
Uusteri
Contributor | Diamond Partner

Has there been any workaround to this issue? This seems like a relatively basic feature. We use these files to create a task for deals which makes the task links unreadable (plus if there are several files the links do not even have line breaks in between and the task considered all the files as one link...). These files are crucial for sales, without them it's like cold-calling someone who left their email/phone number

 

Well, a workaround is of course that you open up the contact record and see the form submission from there. BUT since sales reps mostly work with the mobile app, nothing can be seen there. Why can't these files be considered as attachments? Or at least make the task formattable via automation so people could view a link that is formatted horribly so: https://api.hubapi.com/filemanager/api/v2/files/123/signed-url-redirect?&portalId=123&filename=examp...

 

Or a preview of the pdf, Image or any type of document? 

 

This is very frustrating for sales reps and they have stopped updating deals (which means contact requests are not being answered). Couldn't there be an option in the form File upload where you choose is the document private or not? 

 

Just suggesting some ideas from the top of my head. Hope we get some kind of workaround to this! Thanks

0 Upvotes