By default the real location of an uploaded file is hidden. The download URL will be generated with a security token to prevent guessing or enumeration attacks to discover the location of other files. The gform_permission_granted_pre_download filter can be used to perform custom logic to determine if the download URL will allow access to the file.


The following would apply to all forms.

add_filter( 'gform_permission_granted_pre_download', 'your_function_name', 10, 3 );


  • $permission_granted bool

    Does the user have permission to access the file? Default is the result of the hash validation.

  • $form_id int

    The ID of the form used to upload the requested file.

  • $field_id int

    The ID of the field used to upload the requested file.


Require the user to have administrative capabilities

The following example shows how you can restrict access to only those users who have permission to activate plugins, but only when the hash has passed validation.

add_filter( 'gform_permission_granted_pre_download', function( $permission_granted, $form_id, $field_id ) {
return $permission_granted && current_user_can( 'activate_plugins' );
}, 10, 3 );

Validate hash using older salt

If the site salts change, the hash used to validate access to older files via links found in notification emails will fail validation. This example shows how you can revalidate the hash using the older salt.

add_filter( 'gform_permission_granted_pre_download', function ( $permission_granted, $form_id, $field_id ) {
	if ( $permission_granted ) {
		return $permission_granted;

	add_filter( 'salt', 'filter_salt_for_old_gf_download', 10, 2 );
	$hash_check = GFCommon::generate_download_hash( $form_id, $field_id, rgget( 'gf-download' ) );
	remove_filter( 'salt', 'filter_salt_for_old_gf_download' );

	return hash_equals( rgget( 'hash' ), $hash_check );
}, 10, 3 );

// Callback for the salt filter used with gform_permission_granted_pre_download.
function filter_salt_for_old_gf_download( $salt, $scheme ) {
	return 'the-old-salt-here';

Restrict access based on the visitor IP address

This example shows how you can restrict the access to gf-download links based on the visitor IP address. The example assumes your server is storing the visitor IP address in $_SERVER[‘REMOTE_ADDR’], this is the most common scenario, but it can be different for your server setup. Ask your web host support if you are not sure about this.

add_filter( 'gform_permission_granted_pre_download', function ( $permission_granted, $form_id, $field_id ) {
	GFCommon::log_debug( __METHOD__ . '(): Runngin IP based gf-download restriction...' );
	$allowed_ips = array( // List of IP addresses allowed to access gf-download links.
	GFCommon::log_debug( __METHOD__ . '(): Allowed IPs: ' . print_r( $allowed_ips, true ) );

	// The snippet assumes your server stores the visitor IP in $_SERVER['REMOTE_ADDR'].
	// Not all servers do this. Ask your web host support if you are not sure.
	$visitor_ip = $_SERVER['REMOTE_ADDR'];

	GFCommon::log_debug( __METHOD__ . '(): Visitor IP: ' . $visitor_ip );

	if ( ! in_array( $visitor_ip, $allowed_ips ) ) {
		GFCommon::log_debug( __METHOD__ . '(): Visitor is not allowed to access gf-download links!' );
		wp_die( '<p>You are <b>not allowed</b> to access download links for this site.</p>' ); // Access not allowed if the IP is not in $allowed_ips.

	return $permission_granted;
}, 10, 3 );


This code should be placed in the functions.php file of your active theme or a custom functions plugin.


This filter was added in Gravity Forms

Source Code

This filter is located in GF_Download::maybe_process() in includes/class-gf-download.php.