Download link and hash to prevent unauthorized downloading

Permalink 1 user found helpful November 10, 2011 at 6:49 AM

Ok, Conrete5:s download_file url is fine add, but I noticed that user is able to download all files in "File Manager" just by changing the "file id" in the url.

example.
If we had some download link for lets say for "User manual.pdf", the automated download link would be something like this:
concrete5.4.2.2/index.php/download_file/view/23/106/

I noticed that it actually very easy to check what else there've been uploaded to the file manager just by changing the file's id at the url, like this:
concrete5.4.2.2/index.php/download_file/view/1/106/
concrete5.4.2.2/index.php/download_file/view/2/106/
concrete5.4.2.2/index.php/download_file/view/3/106/
...

So, I think there should be some kind of "protection hash" to harden unauthorized file downloading etc.
concrete5.4.2.2/index.php/download_file/view/23/106/0b3f3842a5b2c79a07c20695462aeb87

jshannon replied on Mar 13, 2012 at 8:52 pm Permalink Best Answer Reply

I second this. I think i'm going to have to create passwords for every file (or remove read permissions from normal users), and then use the file system URL.

Temposaur replied on Aug 6, 2013 at 9:36 am Permalink Reply

I had to ditch the "cID" -parameter at download_file.php when it was used only at "trackDownload". I placed my "security hash"-function to prevent downloading (and cleaned hex -base to base62 to clean up ).

It was actually quite easy procedure. I might clean up the code when I have time to give it for free use, now I'm battling with deadline with "mediabank" -site, where unauthorized download are not tolerated.