By default, SyncS3 for Gravity Forms uploads files to Amazon S3 with private file permissions. This means the only way to access them is with a signed URL – SyncS3 signs the URLs in the admin so you can easily view them. If you want to offer public access to the files, such as viewing images or downloading zip files, you’ll need to adjust the files’ permission settings.

The Bucket Policy

To change a file’s permission settings, you first need to ensure that access to the file isn’t denied at the bucket level via the bucket policy. The easiest solution may be to not have any bucket policy. This will let you set access permissions on a per-file basis. However, if you have a reason for a bucket policy, you’ll need to adjust it to exclude the files you want to keep public.

Amazon S3 bucket policy

Here’s an example bucket policy that denies access to bucket files, unless requested from an authorized website.

{
    "Version": "2012-10-17",
    "Id": "http referer policy example",
    "Statement": [
        {
            "Sid": "Allow get requests referred by mywebsite.com.",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": "https://mywebsite.com/*"
                }
            }
        },
        {
            "Sid": "Explicit deny to ensure requests are allowed only from specific referer.",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Condition": {
                "StringNotLike": {
                    "aws:Referer": "https://mywebsite.com/*"
                }
            }
        }
    ]
}

This policy denies access to any file in the my-bucket bucket, unless the request is from https://mywebsite.com. You’ll need to modify the policy to set your bucket name and website URL. You can also modify the Resource path if your public files are saved to a subfolder.

SyncS3 Filter

It is currently on our development roadmap to build a feature into SyncS3 that lets you select a canned ACL option for your file uploads. Until then, you can use the syncs3_put_object_acl filter to override the file’s ACL permission.

add_filter( 'syncs3_put_object_acl', 'em_syncs3_object_acl', 10, 6 );
/**
 * Filters the Access Control List for an object.
 * For possible choices, see https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl.
 *
 * @param  string 	$acl       	ACL (default: 'private')
 * @param  string 	$file      	Local file URL when uploaded
 * @param  string 	$file_name 	Name of uploaded file
 * @param  int 		$field_id  	ID of the fileupload field
 * @param  int 		$form_id   	ID of the form
 * @param  array 	$entry     	Entry data
 *
 * @return string
 */
function em_syncs3_object_acl( $acl, $file, $file_name, $field_id, $form_id, $entry ) {
	// Logic here if needed
	return 'public-read';
}

This snippet sets all files uploaded by SyncS3 to public-read. You’ll need to add your own logic if needed. The filter make available data about the entry, form, and field so you can run your own logic.

After you’ve set your bucket policy and filtered the file’s ACL permission, files will be accessible according to your custom permissions. If you’ve set your bucket policy and ACL to allow for public-read access, you can link to the files with the stored S3 URLs, and user won’t get the “Access Denied” XML error they’d normally receive when the file is set to private.

Your Cart
Your cart is currently empty.
Open Cart