By default, SyncS3 for Gravity Forms uploads files to Amazon S3 with private file permissions. This means the only way to access them is with a signed URL – SyncS3 signs the URLs in the admin so you can easily view them. If you want to offer public access to the files, such as viewing images or downloading zip files, you’ll need to adjust the files’ permission settings.
The Bucket Policy
To change a file’s permission settings, you first need to ensure that access to the file isn’t denied at the bucket level via the bucket policy. The easiest solution may be to not have any bucket policy. This will let you set access permissions on a per-file basis. However, if you have a reason for a bucket policy, you’ll need to adjust it to exclude the files you want to keep public.
Here’s an example bucket policy that denies access to bucket files, unless requested from an authorized website.
{
"Version": "2012-10-17",
"Id": "http referer policy example",
"Statement": [
{
"Sid": "Allow get requests referred by mywebsite.com.",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"StringLike": {
"aws:Referer": "https://mywebsite.com/*"
}
}
},
{
"Sid": "Explicit deny to ensure requests are allowed only from specific referer.",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"StringNotLike": {
"aws:Referer": "https://mywebsite.com/*"
}
}
}
]
}This policy denies access to any file in the my-bucket bucket, unless the request is from https://mywebsite.com. You’ll need to modify the policy to set your bucket name and website URL. You can also modify the Resource path if your public files are saved to a subfolder.
SyncS3 Filter
It is currently on our development roadmap to build a feature into SyncS3 that lets you select a canned ACL option for your file uploads. Until then, you can use the syncs3_put_object_acl filter to override the file’s ACL permission.
add_filter( 'syncs3_put_object_acl', 'em_syncs3_object_acl', 10, 6 );
/**
* Filters the Access Control List for an object.
* For possible choices, see https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl.
*
* @param string $acl ACL (default: 'private')
* @param string $file Local file URL when uploaded
* @param string $file_name Name of uploaded file
* @param int $field_id ID of the fileupload field
* @param int $form_id ID of the form
* @param array $entry Entry data
*
* @return string
*/
function em_syncs3_object_acl( $acl, $file, $file_name, $field_id, $form_id, $entry ) {
// Logic here if needed
return 'public-read';
}This snippet sets all files uploaded by SyncS3 to public-read. You’ll need to add your own logic if needed. The filter make available data about the entry, form, and field so you can run your own logic.
After you’ve set your bucket policy and filtered the file’s ACL permission, files will be accessible according to your custom permissions. If you’ve set your bucket policy and ACL to allow for public-read access, you can link to the files with the stored S3 URLs, and user won’t get the “Access Denied” XML error they’d normally receive when the file is set to private.