Tags: Episerver Forms Optimizely/Episerver SQL

Episerver Forms - public access to uploaded files

The problem

If I create a form that let visitors upload files:

Episerver Form form container, with a file upload control and a submit button.

And then send an email with a link to every file that is uploaded:
Episerver Forms email template with placeholder for link to uploaded file.

The recipient will have to log in to Episerver CMS to access the file. In most situations this is OK, but not if the recipient do not have access.

The uploaded files are stored in a folder named «Uploaded Files» inside the content assets folder for the file upload block.

Assets pane, showing the folder «Uploaded Files» below «For This Block» for the File upload block.

Managing access rights for this folder is not directly accessible from within Episerver edit mode.

The solution

This dialog, accessible from the «manage» link on any page or block, can help us.
The dialog used to set access rights for a specific content item.

Inspect the markup, and open in new tab:

Access rights.

Alternatively, you can access the URL: /EPiServer/CMS/Edit/EditSecurity.aspx?id=1

To change the access rights of the «Uploaded Files» folder inside the file upload item's content assets folder, you will just have to replace the value of the url parameter id with the id of the folder «Uploaded Files».

Most likely, the id is the id of your file upload block + 2, and the id of the file upload block is visible in edit mode:

Episerver edit mode showing the content id of the file upload form control.

To be sure we get the correct ID, we can query the database. First locate the content assets folder:

SELECT pkID FROM tblContent WHERE ContentGUID = 
   (
      SELECT ContentAssetsID FROM tblContent WHERE pkId = 131
   )

In my case, that yields 132. I put 132 into this query:

SELECT pkId FROM tblContent WHERE ContentPath LIKE '%.132.'

...and I get the id of my «File Upload» folder that is 133.

Another option is nested subqueries that will give you the id directly.

SELECT pkId 
FROM tblContent 
WHERE ContentPath LIKE CONCAT(CONCAT('%.', (SELECT pkId
                                             FROM   tblContent 
                                             WHERE  ContentGUID= (
                                                SELECT ContentAssetsID
                                                FROM tblContent 
                                                WHERE  pkId = 131))) 
                               , '.')

Then replace the id in the URL, with the id for the folder «Uploaded Files»:Dialog for setting access wights, with the id parameter in the URL highlighted.

Add the «Everyone» group:
Dialog for granting access rights to «Everyone».

Make sure «Everyone» has Read-access, and save.
Dialog for setting access rights, with «Everyone» added.

Now, everyone will have access to download the uploaded files for this exact upload item.