debian-mirror-gitlab/doc/security/user_file_uploads.md

---
type: reference
stage: Manage
group: Authentication and Authorization
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
---

# User file uploads **(FREE)**

> - Enforced authorization checks [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/80117) in GitLab 14.8 [with a flag](../administration/feature_flags.md) named `enforce_auth_checks_on_uploads`. Disabled by default.
> - Enforced authorization checks became [generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/352291) in GitLab 15.3. Feature flag `enforce_auth_checks_on_uploads` removed.
> - Project settings in the user interface [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/88567) in GitLab 15.3.

In private or internal projects, GitLab restricts access to uploaded files (such as PDFs)
to authenticated users only. By default, image files are not subject to the same
restriction, and unauthenticated users can use the URL to view the
file. If you enable authorization checks for all media files, images
receive the same protection and are viewable only by authenticated users.

Users can upload files to issues, merge requests, or comments in a project. Direct URLs
to these images in GitLab contain a random 32-character ID to help prevent
unauthorized users from guessing image URLs. This randomization provides some protection
if an image contains sensitive information.

Authentication checks for images can cause display issues in the body of notification emails.
Emails are frequently read from clients (such as Outlook, Apple Mail, or your mobile device)
not authenticated with GitLab. Images in emails appear broken and unavailable if
the client is not authorized to GitLab.

## Enable authorization checks for all media files

Non-image attachments (including PDFs) always require authentication to be viewed.
You can use this setting to extend this protection to image files.

Prerequisite:

- You must have the Maintainer or Owner role for the project.
- Your project visibility settings must be **Private** or **Internal**.

To configure authentication settings for all media files:

1. On the top bar, select **Main menu > Projects** and find your project.
1. On the left sidebar, select **Settings > General**.
1. Expand **Visibility, project features, permissions**.
1. Scroll to **Project visibility** and select **Require authentication to view media files**.
   You cannot select this option for projects with **Public** visibility.

## Delete uploaded files

> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/92791) in GitLab 15.3.

You should delete an uploaded file when that file contains sensitive or confidential information. When you have deleted that file, users cannot access the file and the direct URL returns a 404 error.

Project Owners and Maintainers can use the [interactive GraphiQL explorer](../api/graphql/index.md#graphiql) to access a [GraphQL endpoint](../api/graphql/reference/index.md#mutationuploaddelete) and delete an uploaded file.

For example:

```graphql
mutation{
  uploadDelete(input: { projectPath: "<path/to/project>", secret: "<32-character-id>" , filename: "<filename>" }) {
    upload {
      id
      size
      path
    }
    errors
  }
}
```

Project members that do not have the Owner or Maintainer role cannot access this GraphQL endpoint.
<!-- ## Troubleshooting

Include any troubleshooting steps that you can foresee. If you know beforehand what issues
one might have when setting this up, or when something is changed, or on upgrading, it's
important to describe those, too. Think of things that may go wrong and include them here.
This is important to minimize requests for support, and to avoid doc comments with
questions that you know someone might ask.

Each scenario can be a third-level heading, for example `### Getting error message X`.
If you have none to add when creating a doc, leave this section in place
but commented out to help encourage others to add to it in the future. -->
New upstream version 12.0.8 2019-09-04 21:01:54 +05:30			`---`
			`type: reference`
New upstream version 13.3.8 2020-10-24 23:57:45 +05:30			`stage: Manage`
New upstream version 14.8.5+ds1 2022-04-04 11:22:00 +05:30			`group: Authentication and Authorization`
New upstream version 15.5.4+ds1 2022-11-25 23:54:43 +05:30			`info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments`
New upstream version 12.0.8 2019-09-04 21:01:54 +05:30			`---`
New upstream version 12.1.11 2019-09-30 21:07:59 +05:30
New upstream version 15.3.1+ds1 2022-08-27 11:52:29 +05:30			`# User file uploads (FREE)`
Imported Upstream version 8.3.0+dfsg 2015-12-23 02:04:40 +05:30
New upstream version 15.3.1+ds1 2022-08-27 11:52:29 +05:30			> - Enforced authorization checks [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/80117) in GitLab 14.8 [with a flag](../administration/feature_flags.md) named `enforce_auth_checks_on_uploads`. Disabled by default.
			> - Enforced authorization checks became [generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/352291) in GitLab 15.3. Feature flag `enforce_auth_checks_on_uploads` removed.
			`> - Project settings in the user interface [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/88567) in GitLab 15.3.`
Imported Upstream version 8.3.0+dfsg 2015-12-23 02:04:40 +05:30
New upstream version 15.3.1+ds1 2022-08-27 11:52:29 +05:30			`In private or internal projects, GitLab restricts access to uploaded files (such as PDFs)`
			`to authenticated users only. By default, image files are not subject to the same`
			`restriction, and unauthenticated users can use the URL to view the`
			`file. If you enable authorization checks for all media files, images`
			`receive the same protection and are viewable only by authenticated users.`
New upstream version 12.0.8 2019-09-04 21:01:54 +05:30
New upstream version 15.3.1+ds1 2022-08-27 11:52:29 +05:30			`Users can upload files to issues, merge requests, or comments in a project. Direct URLs`
			`to these images in GitLab contain a random 32-character ID to help prevent`
			`unauthorized users from guessing image URLs. This randomization provides some protection`
			`if an image contains sensitive information.`

			`Authentication checks for images can cause display issues in the body of notification emails.`
			`Emails are frequently read from clients (such as Outlook, Apple Mail, or your mobile device)`
			`not authenticated with GitLab. Images in emails appear broken and unavailable if`
			`the client is not authorized to GitLab.`

			`## Enable authorization checks for all media files`

			`Non-image attachments (including PDFs) always require authentication to be viewed.`
			`You can use this setting to extend this protection to image files.`

			`Prerequisite:`

			`- You must have the Maintainer or Owner role for the project.`
			`- Your project visibility settings must be Private or Internal.`

			`To configure authentication settings for all media files:`

New upstream version 15.4.2+ds1 2022-10-11 01:57:18 +05:30			`1. On the top bar, select Main menu > Projects and find your project.`
New upstream version 15.3.1+ds1 2022-08-27 11:52:29 +05:30			`1. On the left sidebar, select Settings > General.`
			`1. Expand Visibility, project features, permissions.`
			`1. Scroll to Project visibility and select Require authentication to view media files.`
			`You cannot select this option for projects with Public visibility.`
New upstream version 12.0.8 2019-09-04 21:01:54 +05:30
New upstream version 15.10.7+ds1 2023-05-27 22:25:52 +05:30			`## Delete uploaded files`

			`> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/92791) in GitLab 15.3.`

			`You should delete an uploaded file when that file contains sensitive or confidential information. When you have deleted that file, users cannot access the file and the direct URL returns a 404 error.`

			`Project Owners and Maintainers can use the [interactive GraphiQL explorer](../api/graphql/index.md#graphiql) to access a [GraphQL endpoint](../api/graphql/reference/index.md#mutationuploaddelete) and delete an uploaded file.`

			`For example:`

			```graphql
			`mutation{`
			`uploadDelete(input: { projectPath: "<path/to/project>", secret: "<32-character-id>" , filename: "<filename>" }) {`
			`upload {`
			`id`
			`size`
			`path`
			`}`
			`errors`
			`}`
			`}`
			```

			`Project members that do not have the Owner or Maintainer role cannot access this GraphQL endpoint.`
New upstream version 12.0.8 2019-09-04 21:01:54 +05:30			`<!-- ## Troubleshooting`

			`Include any troubleshooting steps that you can foresee. If you know beforehand what issues`
			`one might have when setting this up, or when something is changed, or on upgrading, it's`
			`important to describe those, too. Think of things that may go wrong and include them here.`
			`This is important to minimize requests for support, and to avoid doc comments with`
			`questions that you know someone might ask.`

New upstream version 15.6.4+ds1 2023-01-13 00:05:48 +05:30			Each scenario can be a third-level heading, for example `### Getting error message X`.
New upstream version 12.0.8 2019-09-04 21:01:54 +05:30			`If you have none to add when creating a doc, leave this section in place`
			`but commented out to help encourage others to add to it in the future. -->`