Shareable attachment links that respect your privacy settings

Some issues are rarely recognized but frequently frustrate. We have identified one such problem and we have solved it.

We are talking about direct links to attachments.

When you make a padlet and you fill it with posts, you can copy direct links to attachments and share them individually. This is tremendously useful if you want to share a specific attachment from your padlet instead of sending someone the entire thing.

However, these links can also become a security risk. Imagine you are a teacher and you accidentally invite a student to a padlet containing sensitive information. You can remove the student from the padlet but if he has already copied a direct link to one of the attachments, he may maintain access to that attachment. This is how Padlet used to work. A common solution to this problem is to require a log-in whenever an attachment link is opened, but this reduces the convenience of the links as a tool to share content.

We’ve fixed our links to provide seamless and responsive access while also ensuring security.

From now on, a direct link to a padlet attachment will only work if the person sending the link has access to the padlet. The link will cease to work if they lose access.

Here’s how we did it.

How we built badass shareable attachment URLs

The changes we’ve made apply to the “Copy direct link to attachment” feature, which allows users to obtain the direct link to an uploaded attachment for a post.

Requirements for our new link system

1. Access control should be determined by the padlet. If a user has access to a padlet, the links they've copied or sent should work. If they lose access, their links should cease to function. No additional authentication needed.
2. The link should be permanent. The link needs to work forever. We don’t want to burden the user with the need to regenerate an attachment link.
3. The link should work fast. An access check means extra processing every time someone tries to open an attachment link. We want to minimize the performance impact and keep Padlet smooth and fast.

Our solution

For every shareable attachment link, we generate a tokenized URL which is unique to the user that copied the link.  When someone attempts to use the link, we check the access status of the user who generated the link. Only links provided by users with current access to the padlet will provide access to attachments.

To accomplish this, attachment URLs do not link directly to the the server where the attachments are hosted, but rather route first through a proxy service which determines the validity of the token, and then decides whether to show the attachment to the user.

If there’s anything that defines the team at Padlet, it’s solving minute problems that bother us. No problem is too small and no solution is out of reach. If you ever identify a problem with Padlet, we encourage you to reach out. We’ll get started on a solution immediately.

When will these links be available?

The more secure links are now available for everyone.