Filemanager Permissions
Permalink
Hi,
We attempted to move files outside of the public_html directory for security reasons using the file manager permissions (otherwise these files would be accessible without login if you knew the correct url).
It appears this breaks thumbnail previews though as the filemanager direct links to files/thumbnails.
Any suggestions?
We attempted to move files outside of the public_html directory for security reasons using the file manager permissions (otherwise these files would be accessible without login if you knew the correct url).
It appears this breaks thumbnail previews though as the filemanager direct links to files/thumbnails.
Any suggestions?
Here is what we came up with incase it is useful for anyone else. In /application/bootstrap/app.php
<?php /** * Created by PhpStorm. * User: John Everden * Date: 3/8/2017 * Time: 9:07 AM */ use Concrete\Core\Support\Facade\Events; use Concrete\Core\Permission\Key\Key; Events::addListener('on_before_dispatch', function($event) { $path = $_SERVER['REQUEST_URI']; if (strpos($path, '/thumbnails/file_manager_listing/') !== false || strpos($path, '/thumbnails/file_manager_listing_2x/') !== false ) { global $u;
Viewing 15 lines of 39 lines. View entire code block.
we had the same problem and solved it with a .htaccess file denying all accesses to the directory. Of course, this would break the thumbnails as well.
The solution is to load the thumbnail from a script that reads in the file from the protected or not public folder and then passes the file content to the output stream. Concrete5 does this with the single page download_file.php.
To enforce this URL as a source of the images we created a custom StorageFileLocation. If you're interested we will publish an add-on as soon as possible.