Example Request form – allowing clients to submit attachments

Your system administrator can allow clients to submit attachments with their questions. When this has been allowed, clients will see an “Add any attachments” indicator in the Request form that allows attachments to be added, similar to this one:

If this tool is included, and the client uses it to select files, the files will be attached to the request when it is Submitted.  The attached files will show in the confirmation screen as further confirmation that they have been included.  They will be attached to the question, as Question attachments, when the question is created.

If the Select file(s) button is clicked a traditional file selection tool shows so that any file accessible to the client can be attached.

If the form is being used on a tablet or mobile phone, this will include an option to add a photograph.

If the user already has the file’s location showing in a file explorer window (such as after scanning a document), the file can be selected and dragged onto the drop zone, and will be uploaded. If a user tries to drag and drop more than one file onto the attachment drop zone only the first file will load (to prevent user loading very large numbers of files).

Once a file is successfully loaded its name appears above the Select files line with a green dot.

Your system administrator can limit the maximum size of files that clients can load (Parameter 2.8 with default value 20MB) and the maximum number of files that can attach (parameter 2.9 with default value 5) in order to prevent malicious loading of large amounts of data.

Security of adding attachments
Note that allowing clients to add attachments provides an opportunity for viruses to be submitted. Staff handling questions where attachments have been provided, need to be just as wary that an attachment might be a virus as they would be of emails containing attachments, and, as with email, your computer’s virus protection should protect against any that have been provided.

However, most RefTracker systems should be running an automatic virus check before files are uploaded (Administrators should look at parameter 9.80 and 9.81 for more information about this feature). If a virus is detected clients will see a validation message like this – note that you must add any replacemetn files and ReSubmit when a validation message like this appears:

Further, there are some other security features built into RefTracker to prevent loading of dangerous files.  Only allowed file types can be uploaded into RefTracker.  If a client tries to upload a file with an extension that is not allowed, the system will indicate that, and not load it (notice the red dot in the screen print below that indicates the file was not loaded).

There is also a check on the server side just in case the JavaScript has been manipulated by a malicious client.

 But on the server side there is no error message – the file will just be deleted – because this should only happen if the JavaScript has been manipulated by a malicious client so the file is most likely to be dangerous.

The list of allowed file types is quite long.  They include: images, pdf’s, web pages, txt files, Office file types and some other common word processing file types as recommended by Microsoft as safe, plus a number of other file types that we know are used by our customers to deliver information.  For security reasons, zip files can be attached by staff members, but not by end users.

If additional file types need to be allowed, they can be added to the MimeMap.XML file in the config/settings directory, by contacting your RefTracker support representative.

Despite these protections it is still possible for someone to give a file a different extension – for example a .exe file can be renamed with a .pdf.  However, even though the file might in fact, be a .exe – the Operating System will not attempt to execute it if it doesn’t have the .exe extension.

The Attachment control

Your System administrator controls whether a client interface Request form will include the attachment control, and where it will appear in that form, using the “Include client attachment control” parameter in each Request form’s Edit options, Other options tab.

They can also amend the “Add any attachments” label text by changing that Literal.