Beginning in version 2.9.18, Team Password Manager allows users to upload files in passwords and projects.
These are some of the features of file uploads:
- You can upload any number of files to a password or a project.
- Only users with permission to edit a password or project can upload files to it.
- Only users with access to a password or project can download files from it.
- Files are saved encrypted (their name and content).
- You can configure the uploads folder to be located wherever you want in the server folder structure.
- The maximum file size can be adjusted using PHP settings.
These are the sections on this page:
- How to upload files to passwords and projects
- How to download files from passwords and projects
- Admin stuff: how to change the maximum file size
- Admin stuff: the uploads folder
- Admin stuff: allowed extensions
How to upload files to passwords and projects
Uploading files to passwords and projects is very easy:
- Go to the password or project you want to upload a file to
- Press "Upload file". You'll be taken to the upload file screen. If you don't see this button it means you can't edit the password or project, so you can't upload files to it.
- Select the file you want to upload. You can see the maximum file size below the file select button.
- Enter some notes if you want. You can always change these notes later if you want.
- Press upload. When the upload process finishes you'll be taken to the "Files" tab in the password or project.
The following screenshot shows a file upload in progress:
How to download files from passwords and projects
Downloading is even easier than uploading. Just go to the password or project you want to download a file from, select the "Files" tab (if you don't see this tab, it means that the password/project doesn't have files) and click the "Download" button for the file you want to download.
The following screenshot shows the "Files" tab of a password with one file:
Admin stuff: how to change the maximum file size
Team Password Manager uses PHP file uploads to upload files, so you need to configure the maximum file size allowed by setting some PHP directives in php.ini. These are:
- upload_max_filesize: the maximum size of an uploaded file.
- post_max_size: when uploading files, you're posting a form, this is the max size of post data allowed. In Team Password Manager it includes the size of notes field. It should be larger than upload_max_filesize, specially for large files.
- memory_limit: the maximum amount of memory in bytes that a script is allowed to allocate. It should be larger than post_max_size.
Example: to set the upload maximum file size to 32 Mb, you can set the previous directives to:
upload_max_filesize = 32M
post_max_size = 33M
memory_limit = 128M
When uploading a file, Team Password Manager checks these values and shows the lowest of the three in the "Maximum file size" label below the "Select file" button.
Chek also the following PHP doc:.
Admin stuff: the uploads folder
Files uploaded to Team Password Manager are stored in the uploads folder. This section explains some things you should know about this folder.
Folder location and permissions
By default, the uploads folder is located at the same level as index.php. You can change this location with the UPLOADS_FOLDER setting in config.php. You can do this in two ways:
- With an absolute path. Example: /var/www/domain/uploads/, or
- With a relative path (relative to index.php). Example: ../uploads/
define('UPLOADS_FOLDER' , '../uploads/');
For security, we recommend that you locate the uploads folder out of the public folder of you installation. For instance, you can locate it right above it by setting it to '../uploads/'.
Team Password Manager creates and deletes files and folders in the uploads folder, so you should give it read and write permissions for the web server. Team Password Manager will check these permissions before uploading any file, and will prevent file uploads if the permissions are not appropriate.
The uploads folder bundled in the installation files includes an .htaccess file to enforce the Apache web server to force the files to be downloaded (without running them) and to prevent directory listing:
# Enforces Apache to serve all files with an attachment header to force a download dialog, # preventing Apache to run any of the uploaded files through an interpreter like PHP, # even if the file extension is ".php". ForceType application/octet-stream Header set Content-Disposition attachment Header set X-Content-Type-Options nosniff # Prevents directory listing Options -Indexes
How files are stored
If you upload some files and then take a look at the uploads folder, you'll see a bunch of folders and files with meaningless letters and numbers. Also, if you try to open any of the uploaded files, you'll only see garbage. Don't panic!
Team Password Manager stores the uploaded files encrypted. It encrypts the filename and the content using the same method it uses to encrypt the fields of a password. So, you'll only be able to get (download) the unencrypted files through Team Password Manager itself, making it a secure vault for your organization's files.
Admin stuff: allowed extensions
By default you can upload any file to Team Password Manager. Since version 12.143.260, you can limit the files to upload by extension. To do it, use the
UPLOADS_EXTENSIONS setting in
config.php, where you can list the extensions you want to limit the uploaded files to. For example:
define('UPLOADS_EXTENSIONS', 'jpg, zip');
This will only allow files with extensions jpg and zip to be uploaded. This setting also affects the API since v. 12.146.268.
More information: UPLOADS_EXTENSIONS.
|Jul 12, 2023:||UPLOADS_EXTENSIONS also affects the API since v. 12.146.268|
|May 30, 2023:||Admin stuff: allowed extensions|