Originally posted on github :
https://github.com/mautic/mautic/issues/5052
When creating an asset, the download URL generated by Mautic is : https://mautic.company.com/asset/1:internal-id-of-asset
Customers asked us why the internal id was facing the public url generated.
We thought it was for security concerns :
maybe mautic would check that both internal-id and numeric id match before processing the download but not as soon as you type in URL
https://mautic.company.com/asset/1:any-string
the download is processed
This way, a competitor knowing that you’re using Mautic could request all the assets by creating a single batch to loop accross all numeric Ids.
I think mautic should implement a URL verification for both the numeric id and internal name provided.
If the internal name does’nt match the numeric ID, download should be forbidden.
Ps : maybe we should lock internal-id modification once the asset has already been created (like for custom fields)
Any feedback from the communauty ?