By default the real location of an uploaded file is hidden. The download URL will be generated with a security token to prevent guessing or enumeration attacks to discover the location of other files. The gform_permission_granted_pre_download filter can be used to perform custom logic to determine if the download URL will allow access to the file.


The following would apply to all forms.

add_filter( 'gform_permission_granted_pre_download', 'your_function_name', 10, 3 );


  • $permission_granted bool

    Does the user have permission to access the file? Default is the result of the hash validation.

  • $form_id int

    The ID of the form used to upload the requested file.

  • $field_id int

    The ID of the field used to upload the requested file.


Require the user to have administrative capabilities

The following example shows how you can restrict access to only those users who have permission to activate plugins, but only when the hash has passed validation.

add_filter( 'gform_permission_granted_pre_download', function( $permission_granted, $form_id, $field_id ) {
return $permission_granted && current_user_can( 'activate_plugins' );
}, 10, 3 );

Validate hash using older salt

If the site salts change, the hash used to validate access to older files via links found in notification emails will fail validation. This example shows how you can revalidate the hash using the older salt.

add_filter( 'gform_permission_granted_pre_download', function ( $permission_granted, $form_id, $field_id ) {
	if ( $permission_granted ) {
		return $permission_granted;

	add_filter( 'salt', 'filter_salt_for_old_gf_download', 10, 2 );
	$hash_check = GFCommon::generate_download_hash( $form_id, $field_id, rgget( 'gf-download' ) );
	remove_filter( 'salt', 'filter_salt_for_old_gf_download' );

	return hash_equals( rgget( 'hash' ), $hash_check );
}, 10, 3 );

// Callback for the salt filter used with gform_permission_granted_pre_download.
function filter_salt_for_old_gf_download( $salt, $scheme ) {
	return 'the-old-salt-here';


This code should be placed in the functions.php file of your active theme or a custom functions plugin.


This filter was added in Gravity Forms

Source Code

This filter is located in GF_Download::maybe_process() in includes/class-gf-download.php.