Attachments
How files move between staff and customers — the upload flow, what types are allowed, how they’re stored, and how the download URLs stay secure.
Adding attachments
Drag-and-drop onto the card, click the paperclip in the composer, or use the file-picker on the customer portal. Multiple files per note supported.
What you can upload
- Images: PNG, JPEG, GIF, WebP, SVG
- Documents: PDF, plain text
- Office: DOC, DOCX, XLS, XLSX, CSV
Executables (PHP, JS, scripts) are blocked — MIME allowlist enforced server-side. Default max size is 10 MB.
Storage & security
Files stored under uploads/order-updates-for-woo/orders/{order_id}/{update_id}/{note_id}/ with UUID filenames. Every directory has an index.html guard; root has .htaccess with deny from all.
Downloads served via a REST endpoint — staff verified by REST nonce + capability, customers verified by short-lived HMAC-signed URL.
Deletion
Deleting an attachment, update, or order cascade-removes files + DB rows. After any delete, empty parent directories are pruned automatically.