Mautic Community Forums

"Secured" Assets URL

Originally posted on github :
https://github.com/mautic/mautic/issues/5052

When creating an asset, the download URL generated by Mautic is : https://mautic.company.com/asset/1:internal-id-of-asset

Customers asked us why the internal id was facing the public url generated.

We thought it was for security concerns :
maybe mautic would check that both internal-id and numeric id match before processing the download but not as soon as you type in URL

https://mautic.company.com/asset/1:any-string

the download is processed

This way, a competitor knowing that you’re using Mautic could request all the assets by creating a single batch to loop accross all numeric Ids.

I think mautic should implement a URL verification for both the numeric id and internal name provided.

If the internal name does’nt match the numeric ID, download should be forbidden.

Ps : maybe we should lock internal-id modification once the asset has already been created (like for custom fields)

Any feedback from the communauty ?