Security issue - file upload direct access

Hi, I’m having an issue where the true location of the files are displayed in the form entry after a file is uploaded. It also allows a user that’s not logged in to access the files in the uploaded folder.
I tried using add_filter( ‘gform_require_login_pre_download’, ‘__return_true’ ); but that still allows users not logged in to access any file.

On troubleshooting, I notice there are 2 uploaded folders for my form_id = 10 on the FTP. The older folder is the one with the issue. The new folder works fine. What I mean is any file on old path [wp-content/uploads/gravity_forms/10-XXold_path] can be directed access by non-logged users and the path is not obscured in the entry list. And any file in the new path [wp-content/uploads/gravity_forms/10-XXnew_path] is secured as the path is obscured and it can only be accessed by logged-in users. Any new file is uploaded to the NEW path, meaning for new files everything is good.

However, I have now +1,000 files in the old path that are not secured and my question is if there’s any way to fix this other than moving the files to the new path and changing the records in the DB to the new path.

I also wonder what could have triggered the creation of a new folder to store files that caused the old folder to behave erroneous. If anyone faced a similar issue or has any tips, please let me know. I also have a ticket with support but it’s taking a while to hear back form them.
Thanks,
Andre

© 2008 - 2021. Gravity Forms is a project by Rocketgenius Inc.