Locking down file access
Permalink
Hey,
So I have a director's area which is viewable when logged in as a user in the director's group.
The area allows users to download sensitive files which need to be locked down. So I enabled advanced file permissions in /config/site.php as follows:
define('PERMISSIONS_MODEL', 'advanced');
Then I created a file set and allowed view access to just the director's group. The files I then want to lock down are added to the director's file set. This prevents files accidently appearing on the rest of the site to a non-logged in user.
When I go to download the file on the front-end Concrete5 routes it via a url like:
http://example.com.macbook/index.php/tools/required/files/download?...
So the actual file url is hidden.
However it is still possible to get to the file via a url and side step all of permission access control settings.
http://example.com.macbook/files/7112/8730/7321/EL51... 0610 Policy Booklet.pdf
So in defence of the system the url is highly obscure i.e. 3 sets of 4 numbers for folder names.
However does this prevent this being a solution for highly sensitive documents?
Community thoughts appreciated.
So I have a director's area which is viewable when logged in as a user in the director's group.
The area allows users to download sensitive files which need to be locked down. So I enabled advanced file permissions in /config/site.php as follows:
define('PERMISSIONS_MODEL', 'advanced');
Then I created a file set and allowed view access to just the director's group. The files I then want to lock down are added to the director's file set. This prevents files accidently appearing on the rest of the site to a non-logged in user.
When I go to download the file on the front-end Concrete5 routes it via a url like:
http://example.com.macbook/index.php/tools/required/files/download?...
So the actual file url is hidden.
However it is still possible to get to the file via a url and side step all of permission access control settings.
http://example.com.macbook/files/7112/8730/7321/EL51... 0610 Policy Booklet.pdf
So in defence of the system the url is highly obscure i.e. 3 sets of 4 numbers for folder names.
However does this prevent this being a solution for highly sensitive documents?
Community thoughts appreciated.
well I think its pretty secure, but if you want it more so theres an easy fix. I host with hotstgator, and they have a built in feature to password protect directories. So you could password protect example.macbook.com/files, and then no one could access it from the web. Im sure other hosts have a similar feature too. You can also choose to lock them from C5s file manager, but I think you can only do it 10 at a time or so.
Thanks for your reply.
The problem with a web server directory level password is that it then prevents all files from being accessed.
In the above situation I have the public site and the director's only (log in) area. Password protecting /files would prevent all public files being loaded.
Am I right in thinking that with Concrete5's file password protect files are still accessible via their direct url?
The problem with a web server directory level password is that it then prevents all files from being accessed.
In the above situation I have the public site and the director's only (log in) area. Password protecting /files would prevent all public files being loaded.
Am I right in thinking that with Concrete5's file password protect files are still accessible via their direct url?
just don't give out the relative path...
This is actually quite a difficult thing to do, if you have access to a files URL but can't lock down an entire directory.
The only workable solution I can think of is this:
in your .htaccess file, rewrite all requests for a .pdf file (or whatever extension you need) to a single page on your site. That page should simply grab the filename of the original request and output the file with the relevant headers. I believe there is a C5 file helper somewhere that does just that. That way, the permissions model can be used to check whether the user has permission to view the file...
Make sense??
Jon
The only workable solution I can think of is this:
in your .htaccess file, rewrite all requests for a .pdf file (or whatever extension you need) to a single page on your site. That page should simply grab the filename of the original request and output the file with the relevant headers. I believe there is a C5 file helper somewhere that does just that. That way, the permissions model can be used to check whether the user has permission to view the file...
Make sense??
Jon
Yep the files block routes the download via the file download.php which masks the files actual url.
I guess this is a secure solution on the assumption that the direct file urls cannot be found out.
If they can however then all of concrete permissions control etc can be side stepped...
A fully secure system would not allow direct url access for files that have permission control. I guess as you (jbx) say this would need to be done at a mod_rewrite level.
I guess this is a secure solution on the assumption that the direct file urls cannot be found out.
If they can however then all of concrete permissions control etc can be side stepped...
A fully secure system would not allow direct url access for files that have permission control. I guess as you (jbx) say this would need to be done at a mod_rewrite level.
RewriteEngine On RewriteBase / RewriteRule ^(.*)\.pdf$ not-permitted/ [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.*)$ index.php/$1 [L]
This will affect ALL of your pdf's, but that shouldn't be an issue. Basically, if someone uses the correct Concrete5 URL to download the file (download_file/fID), then it will work. Not only that, it will check the user has permission to download the file first. However, if the user attempts to access the file directly, then it will redirect to whatever page you have told it to (replace the "not_permitted/" bit with a real page that says something like "Go away and stop trying to steal our files you ..... ).
Will that work??
Jon
After talking with the concrete5 specialists it is possible to 100% direct web url access of uploaded files and only members. The best solution is to locate a DVD-R. Make sure you have burning software. For windows, upload the files to your C drive and burn them to the DVD. Delete all files from concrete5. Now eject the DVD. that is the only way to make your files secure, the answer is to get rid of Concrete5 let only those members on the password protected page come to your house and borrow the files on DVD. Concrete5 is an amatuer and bad program that is not secure. What a joke.
You're funny. You're wrong but you're funny I give you that :)
