Upcoming: New restrictions on Forms File upload access

mwelch
HubSpot Alumni
What's happening?

We are going to change form file upload urls to require HubSpot users authentication for access/download.

 

New file links will be in the following form: 

https://api.hubapi.com/filemanager/api/v2/files/123/signed-url-redirect?&portalId=123&filename=examp...

We will also change the accessibility of old files. We will update the old file urls on the submissions and contact records. The old, publicly accessible links will cease to work at that time and will return 404 responses.

 

Why is this happening?

HubSpot forms handle a lot of different kinds of information, some of which may be private in nature. To foster trust and ensure proper data handling, we will require HubSpot users authentication to access files uploaded via these forms.

 
When is this happening?

This change is happening on October 16, 2019.

 

Please join the conversation here if you have any comments or questions.

 

Edit (11/07/2019): Link to update on changelog.

72 Replies 72
Uusteri
Contributor | Diamond Partner

Has there been any workaround to this issue? This seems like a relatively basic feature. We use these files to create a task for deals which makes the task links unreadable (plus if there are several files the links do not even have line breaks in between and the task considered all the files as one link...). These files are crucial for sales, without them it's like cold-calling someone who left their email/phone number

 

Well, a workaround is of course that you open up the contact record and see the form submission from there. BUT since sales reps mostly work with the mobile app, nothing can be seen there. Why can't these files be considered as attachments? Or at least make the task formattable via automation so people could view a link that is formatted horribly so: https://api.hubapi.com/filemanager/api/v2/files/123/signed-url-redirect?&portalId=123&filename=examp...

 

Or a preview of the pdf, Image or any type of document? 

 

This is very frustrating for sales reps and they have stopped updating deals (which means contact requests are not being answered). Couldn't there be an option in the form File upload where you choose is the document private or not? 

 

Just suggesting some ideas from the top of my head. Hope we get some kind of workaround to this! Thanks

0 Upvotes
narjune1
Member

Hello Good Morning, so with this new URL format, is there an actual image URL within the signed-url-redirect link, or can you only access it through the redirect? Meaning this URL from hubspot is having a redirect:

 https://api.hubspot.com/form-integrations/v1/uploaded-files/signed-url-redirect/26400117056?portalId...

 

and this other random image URL does not, it simply provides the image: 

https://via.placeholder.com/300.png/09f/fff%20C/O%20https://placeholder.com/

0 Upvotes
sunjan
Participant

Hi!

HS support staff sent me here.
Our problem is related to the security change.

We have a web form where customers upload files for us. We process the files and are expected to delivery it back to the customer with the exact same file name.

 

But Hubspot alters the name and adds a unique ID in frot of the file name. This means extra work for our staff having to edit all file names.
If we don't edit the name, our Windows folder/file name length becomes too long (more than 255 characters) and it breaks the tools we use to process the file.
The altered file name is a dealbreaker for us.

HS support referred to the security aspect mentioned by @mwelch. But since the file is still only available for the user after logging in, I don't see how the file name itself would make any difference security wise. Other file download/upload services has managed to solve this while keeping the name intact, so I don't see why Hubspot shouldn't.

KeyWestScott
Key Advisor

Just  a quickie here.  And in my opinion, I wouldn't expect HS to do anything to remedy this/your situation.  They made this decision, seemingly, without much thought or planning as to how it would effect their customers and it's basically now a "hands off" development, that will not be changed.  

 

As I'm sure you read in this thread, a lot of companies were adversely effected by this change and the prevailing thoughts from them are "too bad" - this is the way it is......

 

Scott

VoiceofCustomer
HubSpot Employee

Hi Everyone!

 

I wanted to let you know that the product team is aware of the concerns on this thread and actively working on it. Thank you for your continued patience.

 

-Amanda

 

KeyWestScott
Key Advisor

I sincerely hope so.  Even after all this time, my HR staff came to me just this week, asking when or if Hubspot was going to fix this.

 

Scott

0 Upvotes
morganmcgee
Contributor

Adding to this thread as well. We have forms in which members can upload their headshots. We had previously used the API to transfer the headshots to our platform, but this update broke that process. Looking forward to a fix.

0 Upvotes
4392087
Participant

We have continued to work with our integration host, Zapier, and the biggest setback to this change seems to be that the authorization token expires too quickly. On the developers page, it seems that an authorization token should last six hours but during the change process we are logged out and cannot access the file. 

 

It is frustrating to think we have a solution, or HubSpot will assist in a solution, but there seems to be problem after problem and no end in sight. it has been almost two months since this change took place, with a shoddy implementation plan that has left many customers frustrated and broken our automations. 

 

I am concerned that HubSpot is not doing anything on their end to help their integration partners find a solution.

0 Upvotes
hollyeg
Member

This has been a big problem for our company. The forms are a great way for our customers to share special circumstances with the sales team. The customer makes the choice to send , and the expectation is that the sales team will receive it.

 

It caught us all by surprise. The "fix" is to make the whole sales team "users." This opens us up to all kinds of problems. Instead of being more secure, we are all less secure.

 

Please fix this.

Birgitte
Participant

I couldn't agree more. The security is severely downgraded.
br. Birgitte

samanthacrist
Participant

Jumping in on the bandwagon so I can get email updates.

 

As many of you have already indicated in this thread, this functionality is severely limiting.

 

I have been working since July with my Human Resources team to automate a significant portion of their Applicant Tracking System because they are short-staffed and are drowning in applicants.  We just launched it completely this week and so it was very disappointing to learn that we now might not be able to automate those resumes/cover letters to go to the hiring managers for the open positions.

 

I'm familiar with HubSpot making changes on the fly (been using them since 2016) -- and I admit that it is usually for the better -- but this change has me scratching my head. Thanks for the link to the changelog -- this is now bookmarked on my browser and I will reference it frequently.

 

@mwelch I really do hope you and your team come up with a solution. Maybe a toggle setting within the property to opt-in and out of this functionality? You could always default it to "on", then we (the users) could just turn it off for the ones that interact with our internal workflows. Or even if you could designate the workflow as an internal workflow so you can bypass that rule.

0 Upvotes
mwelch
HubSpot Alumni

We have published some sample PHP code that may help folks get started in working with this new secure download mechanism.

 

https://github.com/HubSpot/integration-examples-php/tree/master/form-submission-file-download-app

0 Upvotes
KeyWestScott
Key Advisor

Per step #1....  "Listen for a webhook for the file upload field (customer-defined, but similar to this"

 

I've been listening all weekend and didn't hear a thing.  Other than complaints from staff, that they can't get the files they need.

 

Scott

samanthacrist
Participant
Spoiler
 

Has there been any updates?

tylerstouder
Participant

Can someone share how to do this without a developer resource?

0 Upvotes
Codi
Member

Please is there an update on this issue, especially for those who used to connect to Hubspot api? Is there a workaround as this change has "killed" our automations around Hubspot?
Surely it does not make sense to keep paying the normal Hubspot subscription fees when this key feature is not available as this situation has created manual jobs in my Organization, where we did not even have the extra manpower.

mwelch
HubSpot Alumni

We have posted a new changelog entry that details the updates to support authenticated access to these files, and which contains links to relevant documentation. Thanks for your patience as we built these new capabilities.

0 Upvotes
samanthacrist
Participant

Anyone know a developer who could record this process on a VidYard tutorial and post it? I've tried setting this up myself using the resources but it's like it's in another language. I'm completely lost.

 

@mwelch please look into additional options for us non-developers.

0 Upvotes
KeyWestScott
Key Advisor

So, in reading this...  And please correct me if I'm wrong.  The only way to get a file is to have a developer write an "app" of some sort?  **bleep**?????

 

You still have not, as documented, provided a SECURE means of a regular HS user to access these files.

 

Scott

tylerstouder
Participant

Can this be done in Zapier?  Glad we have to use development resources to accomplish this.