Permissions for Files
Permalink 1 user found helpful
How can I restrict access for downloading files in the file manager to only certain user groups?
I've gone into 'Access & Permissions' and unchecked 'read' for guest, but after logging out and trying to access that file by entering it's path into my browser, it still allows me to download the file even though I unchecked read access for guest.
Am I doing something wrong here? How can I specify permissions for files?
I've gone into 'Access & Permissions' and unchecked 'read' for guest, but after logging out and trying to access that file by entering it's path into my browser, it still allows me to download the file even though I unchecked read access for guest.
Am I doing something wrong here? How can I specify permissions for files?
I was using the /files/1111/2222/xxx.jpg link
So should I be concerned about someone being able to stumble upon a file that a user has uploaded which may contain some sensitive information, like SSN, medical info, etc? If so, are there other steps I should take to make sure those files are secure, or at least more secure? If it is highly unlikely that someone could stumble upon the files then it might not be big concern but I just don't want someone to be able to google something and the file appear in the results.
I've already added /files to robots.txt but I'm just not sure of what else I should do to try and make a user uploaded file more secure?
Thanks for your help.
So should I be concerned about someone being able to stumble upon a file that a user has uploaded which may contain some sensitive information, like SSN, medical info, etc? If so, are there other steps I should take to make sure those files are secure, or at least more secure? If it is highly unlikely that someone could stumble upon the files then it might not be big concern but I just don't want someone to be able to google something and the file appear in the results.
I've already added /files to robots.txt but I'm just not sure of what else I should do to try and make a user uploaded file more secure?
Thanks for your help.
I /think/ that's the point of the /1111/2222 directory structure -- a way to keep people from guessing. It'd be pretty hard to guess that.
But if you've got files with SSNs and medical info, I'd be more concerned.
You could setup your webserver to not allow any /files/*/*/* links to be served by apache, and verify that everything on your site that links to a file uses the /download/ controller.
You could also probably move the files directory out of the webroot using the includes or the dashboard (i know it's a setting, but don't have much experience with it). This means you don't need the apache configuration, and the file cannot be accessed as /files/*/*.
James
But if you've got files with SSNs and medical info, I'd be more concerned.
You could setup your webserver to not allow any /files/*/*/* links to be served by apache, and verify that everything on your site that links to a file uses the /download/ controller.
You could also probably move the files directory out of the webroot using the includes or the dashboard (i know it's a setting, but don't have much experience with it). This means you don't need the apache configuration, and the file cannot be accessed as /files/*/*.
James
The former should check permissions. The latter CAN'T check permissions.
James