User Permissions on Files
Permalink
I have known for some time that C5 advanced permissions doesn't really provide full protection as to who can download files. I was hoping that this had changed with V8.
I have added a folder in file manager (excellent new feature) for a user and given permissions to view files in the folder to that user. I added a link to the file on a page and when not logged in you cant access the file, so all as expected and if logged in as the correct user you can download the file. The issue is that it displays the actual URL to the file and this can be copied into a browser when not logged in to access the file.
This means that paths to users files are available in the browser history. Given that user permissions is supposed to be a strong point of C5, is there a way to stop this from happening? How can I protect files from being accessed via this URL?
I have added a folder in file manager (excellent new feature) for a user and given permissions to view files in the folder to that user. I added a link to the file on a page and when not logged in you cant access the file, so all as expected and if logged in as the correct user you can download the file. The issue is that it displays the actual URL to the file and this can be copied into a browser when not logged in to access the file.
This means that paths to users files are available in the browser history. Given that user permissions is supposed to be a strong point of C5, is there a way to stop this from happening? How can I protect files from being accessed via this URL?
Hello. If you use the file block with "force download", it doesn't show the actual link.
I can't test this as when force down load is selected it causes an error on the page when link is clicked.
I am using the latest release of V8.
My client is concerned that there is no protection for confidential documents.
Whoops\Exception\ErrorException thrown with message "Class 'finfo' not found"
Stacktrace:
#0 Whoops\Exception\ErrorException in /home/c5testmm/public_html/concrete/vendor/league/flysystem/src/Adapter/Local.php:307
I am using the latest release of V8.
My client is concerned that there is no protection for confidential documents.
Whoops\Exception\ErrorException thrown with message "Class 'finfo' not found"
Stacktrace:
#0 Whoops\Exception\ErrorException in /home/c5testmm/public_html/concrete/vendor/league/flysystem/src/Adapter/Local.php:307
It seems the finfo is a part of the PHP 'FileInfo' module which was not active on the Uniform Server I use for my localhost development. When I turn the fileinfo.dll module on and re-start Apache then the error goes away. Is the core team sure that the majority of hosting companies are configuring their servers to have the FileInfo module loaded up? My SiteGround sites have it enabled but my TMD Hosting servers do not have it turned on by default. If I Google 'finfo', there are lots of other frameworks having the same issue.
https://github.com/concrete5/concrete5/issues/4559