Secure files with advanced permissions
Permalink
I have some pdf files uploaded through file manager. I've enabled advanced permissions, and under 'access & permissions' on each pdf unticked 'read' and 'search' for guests. I assumed that would make the files inaccessible to guests, but they are still fully accessible. I tried again on a fresh install to make sure it wasn't something I did. Are these permissions supposed to work on files or not? If not, is there another way to limit access like this?
Also wondering about this... I've got permissions on the file set restricted to unregistered/guests, and any links from the site are also on blocks that are restricted, but if you know the URL to the file you can still get it.
I'm not sure if this is something that can be prevented, or if that's as far as it goes?
Any info would be appreciated.
I'm not sure if this is something that can be prevented, or if that's as far as it goes?
Any info would be appreciated.
I'm interested in this as well.
I was able to mask the download link to paid content with the Digital Download add on, but generally speaking...
I was able to mask the download link to paid content with the Digital Download add on, but generally speaking...
Ditto. I seem to remember this worked for me at some point but it doesn't now.
This seems to clearly be a bug.
This seems to clearly be a bug.
I discovered what the issue was with my download link. When I added the file for download, I had hard-coded a direct link to the file (e.g.,http://domain.com/files/8213/1853/3886/file.ext)....
When I used the "Add File" function in the content editor or added it as a File block, the permissions acted as expected.
It is true that if they know the direct URL (http://domain.com/files/8213/1853/3886/file.ext) someone can still download the file, but using the correct method effectively masks the direct URL so no one should be able to figure it out. The URL is set tohttp://domain.com/index.php/download_file/91/273/,... which acts as expected with permissions.
I guess someone could scan your server in some way and list all files (I don't know) but in the normal course of a visitor going to your site, they will not have access to the direct file URL.
When I used the "Add File" function in the content editor or added it as a File block, the permissions acted as expected.
It is true that if they know the direct URL (http://domain.com/files/8213/1853/3886/file.ext) someone can still download the file, but using the correct method effectively masks the direct URL so no one should be able to figure it out. The URL is set tohttp://domain.com/index.php/download_file/91/273/,... which acts as expected with permissions.
I guess someone could scan your server in some way and list all files (I don't know) but in the normal course of a visitor going to your site, they will not have access to the direct file URL.
Hey hey,
Interesting - good find. I already masked the URL in the File Manager to only display if they are Admin, but that's super good to know.
However, I think this may not be an issue with the Document Library, or even the File Manager, rather an architectural 'choice' regarding permissions at large.
For example, with Advanced Permissions turned on I wanted to throw the site into a 'Maintenance Mode', so I just edited the Permissions of the Home page (everything else is set to inherit these permissions) and changed the basic View privilege to Admin. Files uploaded by logged in users through the Document Library, however, are still available for direct download by Guests (not logged in). (http://mysite.com/files/5613/5069/6663/file_name.doc)
C5 offers beautiful control through Advanced Permissions of Pages and Blocks, but I don't understand control over directories, nor am I sure it's even possible (.htaccess/ Web server control?)
Hope we can get some input from one of 'the guys' in power. :)
Best,
Joel
Interesting - good find. I already masked the URL in the File Manager to only display if they are Admin, but that's super good to know.
However, I think this may not be an issue with the Document Library, or even the File Manager, rather an architectural 'choice' regarding permissions at large.
For example, with Advanced Permissions turned on I wanted to throw the site into a 'Maintenance Mode', so I just edited the Permissions of the Home page (everything else is set to inherit these permissions) and changed the basic View privilege to Admin. Files uploaded by logged in users through the Document Library, however, are still available for direct download by Guests (not logged in). (http://mysite.com/files/5613/5069/6663/file_name.doc)
C5 offers beautiful control through Advanced Permissions of Pages and Blocks, but I don't understand control over directories, nor am I sure it's even possible (.htaccess/ Web server control?)
Hope we can get some input from one of 'the guys' in power. :)
Best,
Joel
This is an old thread but I have a simple solution for anyone else struggling with the same problem:
Create an Alternate Storage Directory in System & Settings > File Storage Locations.
Create the directory on your server
Add an .htaccess file to the new directory containing:
order deny,allow
deny from all
Move the files you want to protect into the new directory using the file manager (click on the file > access & permissions > storage location tab.
That's it. You can no longer navigate directly to any of the files in the protected directory but files can be downloaded when linked by C5 file links.
Create an Alternate Storage Directory in System & Settings > File Storage Locations.
Create the directory on your server
Add an .htaccess file to the new directory containing:
order deny,allow
deny from all
Move the files you want to protect into the new directory using the file manager (click on the file > access & permissions > storage location tab.
That's it. You can no longer navigate directly to any of the files in the protected directory but files can be downloaded when linked by C5 file links.
Thanks for this suggestion.
I have followed your steps and cannot access the file if I use the full link in a browser.
http://www.mysite.com/files2/6913/7359/7588/test.pdf...
However if I use the file block or add in a file through the content block, I am able to copy the link and then open that link in the browser:
http://www.mysite.com/index.php/download_file/view/138/76/...
Is there another type of URL I need to use?
We have discovered that users are logging in and then passing across the download link to other users.
Thanks
I have followed your steps and cannot access the file if I use the full link in a browser.
http://www.mysite.com/files2/6913/7359/7588/test.pdf...
However if I use the file block or add in a file through the content block, I am able to copy the link and then open that link in the browser:
http://www.mysite.com/index.php/download_file/view/138/76/...
Is there another type of URL I need to use?
We have discovered that users are logging in and then passing across the download link to other users.
Thanks
I just wanted to add a reply here, as although it is an old thread, I followed jawbonelid's directions above and wanted to confirm they worked for me?
In concrete5.8 the files cannot be downloaded when linked by C5 file links
when have the correct permissions in c5
If they are stored in the directory /application/private_files
if it has the .htaccess file as above
https://mysite.co.uk/download_file/1234/0... redirects to
https://mysite.co.uk/application/private_files/1234/1234/4321/privat...
which is inaccesible
and if it does not have the .htaccess anyone can access it if they know the URL
when have the correct permissions in c5
If they are stored in the directory /application/private_files
if it has the .htaccess file as above
https://mysite.co.uk/download_file/1234/0... redirects to
https://mysite.co.uk/application/private_files/1234/1234/4321/privat...
which is inaccesible
and if it does not have the .htaccess anyone can access it if they know the URL
Is there no way to allow file access to logged in users and restrict access to guests?