Hello, I’m not sure what the consequences of the f...
# prisma-whats-new
p
Hello, I’m not sure what the consequences of the following are:
File uploads using the File API are not governed by the permissions on the
File
type. As such, everyone can upload files to your project.
Does this mean that one should really be very protective about one’s project alias for instance? I mean, if anyone knows what my service name or ID is, they can simply upload files without any control. No? I don’t have an issue with the downloads really, since the file secrets in my opinion should only be communicated to an authenticated user unless those files are public in the first place.
n
that's correct. if that's a concern in your case, you can easily setup your own file integration including the desired authorization flows. check https://www.graph.cool/forum/t/possible-s3-integration/1013?u=nilan for some discussion on that matter
p
Thank you. What about if I remove the
File
type (and so lose the File endpoint), are there other security concerns in knowing the service ID?
Also, Nilan, on the Shared cluster, even with Pay as you go, it’s still not possible to secure the endpoint? Soren’s post isn’t fully clear on this.
n
there are certainly other use cases, #graphql-gateway is the best place to discuss them at the moment 🙂
p
Ok; just posted a question there. So what about the paid service possibility?