Uploaded files are public?

Steps to reproduce

Launch Firefox.
Log out of Dynalist.
Paste a URL to a bullet point in Dynalist, hit enter, get “Please log in to view this document” page.
Paste a URL to a pdf file uploaded to Dynalist, hit enter, pdf loads.

Expected result

Are all uploaded files public by default and downloadable by anyone who knows the URL?

Actual result

Instead of the expected result, what happened?

Environment

Which operating system are you using? Which browser are you using? If you’re using a desktop or mobile app, what’s the version number of Dynalist?

Additional information

Additional comments

Same on Chrome.

This is worrysome

Short answer: no.

Please see the “Who can see the files I uploaded?” section here: http://help.dynalist.io/article/105-is-my-data-private

The default setting should be private. As long as you don’t change this setting, it should work.

Testing on your own computer is not a reliable way to test, since all modern browsers tend to cache (save) accessed files for speed and performance. Clear your cache and it should show a 404 error. (Or you can ask someone else to test it for you)

You could give it a try in Incognito mode, which does not share cached requests with the regular browsing session.

Can you see this?

https://dynalist.io/u/6Ti5LLDvwpP51kKkV16KpI9g

Yes I can. Was it uploaded while this option is unchecked?

Yes and I think it always was unchecked

That’s weird, I tried accessing a file I just uploaded in incognito tab and got “Access denied”. However I can access the file you linked to.

@Shida?

Maybe it’s checked in the database but app always render it as unchecked? Let me know if you want me to check and uncheck again to test with new uploads

I did not know that this setting existed before now. I don’t recall ever touching this setting, and so I assume that the default for it is that file links are PUBLIC. This is a bad idea. I strongly suggest setting the default to PRIVATE.

Also, is there any way you can make retrospectively make previous file links private? Or maybe some way of toggling the private/public setting on an individual file basis, like what Google Drive and Dropbox allows.

P.S. I tried accessing an uploaded file in Firefox in private browsing mode. Again, when I pasted a URL to a bullet point in Dynalist, I got the expected “Please log in to view document page”, but when I pasted a URL to an uploaded pdf file, it loads. I think that somehow, ALL my file links are public, which is worrisome. I don’t think it is a browser cache issue.

After some investigation, I believe this is a screw-up on our part with the option defaults.

The issue is that the server considered the default option public, but the client showed it as private. This was a mistake we’ve made a while ago when switching from default public to default private, while correctly showing the client option but incorrectly doing the change on the server side.

We’ll be patching this soon. Meanwhile as a workaround, you can forcibly set the option by turning the option to public, then back to private.

We are also making plans to allow viewing and changing the permissions of individual files, so the files that have been uploaded as public can be turned to private if you wish.

Yes, now this works

When you have implemented the ability to change permissions of individual files, may I suggest that you also give us a way to change the permissions of ALL files to private. I would hate to have to go through hundreds of files to set their permissions individually, and I suspect that this is an operation that many of your subscribers will like to do.

Yes, definitely. Just like how you can enable/disable Google Calendar sync for all documents at once.