I’ve asked this in the discord chat #development channel but no response yet. It’s not even really Grav specific, but I know some of you are across a lot of cloud service offerings.
I am looking for a way to securely store data and attachments from form plugin submissions.
This means it can’t be emailed or stored on the server. I had the idea of a write-only folder in Dropbox (write-only for the website’s API account, read for the website owner). Unfortunately, even though this meets the very definition of “dropbox” (small ‘d’), Dropbox (inc.) doesn’t seem to support this.
Are there any other “dropbox” options with Dropbox-like desktop client simplicity for the website clients/owners? Or another way to achieve the same information security?
@hughbris I’m not familiar with Dropbox and I’m not sure if I understand your requirement properly, but while building my own static website generator (based on Grav pages) I experimented with several Google APIs.
Not sure, but I believe the docs/sheets are accessible from the desktop.
Did I say It’s free…?
Thanks for your answer. It’s not what I’m looking for, but you give me an opportunity to clarify a few things about my requirements
First of all, solutions from Google, “free” or not, are untrustworthy for a couple of reasons:
- they have a history of discontinuing their products. Sheets, Docs, and GMail are probably safe, but the slight possibility of having to rewrite a plugin quickly is too much to contemplate.
- As a form submitting user, I wouldn’t personally trust them with sensitive financial or medical information (I have two clients in mind for this plugin). However, most people happily share anything about their lives either publicly on social media or securely in GMail, so that’s probably not going to discourage many users (The moment of realisation for me was when I had a few cross words with my ex-wife using GMail and then noticed ads for divorce lawyers!)
The solution needs to store two types of data, basically the same as what would be stored in a user/data folder: form field data and uploaded attachment media. I don’t think a spreadsheet is suitable for attached media.
Any file/data store that can be read using the API credentials is no good, because if the web server is breached, an attacker can simply find these credentials and use them to access the data we are trying to protect. The data may as well be on the server.
If Dropbox offered deposit-only folders, it would be perfect. The reason is that their desktop (esp. Windows) client is incredibly simple, well known, and appears like a normal folder to Windows Explorer or whatever it’s called these days. Further, a system tray notification can appear when new files are deposited.
It’s almost futile to search for this solution because the correct term “dropbox” has been taken over by content about Dropbox the product. That’s a lot of search noise.
I think Amazon S3 can do this (fine grained permissions), but I don’t know about desktop clients. Also, a couple of years ago when I experimented with S3, their API and docs were just awful.
Thank you again for your suggestion. All suggestions are welcome contributions to finding a solution. This would be a cool capability for the form plugin, allowing it to be used more confidently for sensitive information.
have you considered a self-hosted cloud solution like NextCloud ?
AFAIK, this comes wich Desktop Clients for all major OSes, as well as mobile.
(not sure if there are write-only folders possible, though)
Thanks, I have considered it and sorry could have mentioned that.
The point of not storing them on my own server is that I don’t want to be personally responsible for the information’s security. Nextcloud would be awesome and I have been meaning to set one up for my own file sync. However, I will still hesitate to keep files that are too personal on it. I’m concerned about of zero-day exploits