Download link and hash to prevent unauthorized downloading

Permalink 1 user found helpful
Ok, Conrete5:s download_file url is fine add, but I noticed that user is able to download all files in "File Manager" just by changing the "file id" in the url.

example.
If we had some download link for lets say for "User manual.pdf", the automated download link would be something like this:
concrete5.4.2.2/index.php/download_file/view/23/106/

I noticed that it actually very easy to check what else there've been uploaded to the file manager just by changing the file's id at the url, like this:
concrete5.4.2.2/index.php/download_file/view/1/106/
concrete5.4.2.2/index.php/download_file/view/2/106/
concrete5.4.2.2/index.php/download_file/view/3/106/
...


So, I think there should be some kind of "protection hash" to harden unauthorized file downloading etc.
concrete5.4.2.2/index.php/download_file/view/23/106/0b3f3842a5b2c79a07c20695462aeb87

Temposaur
View Replies: View Best Answer
jshannon replied on at Permalink Best Answer Reply
jshannon
I second this. I think i'm going to have to create passwords for every file (or remove read permissions from normal users), and then use the file system URL.
Temposaur replied on at Permalink Reply
Temposaur
I had to ditch the "cID" -parameter at download_file.php when it was used only at "trackDownload". I placed my "security hash"-function to prevent downloading (and cleaned hex -base to base62 to clean up ).

It was actually quite easy procedure. I might clean up the code when I have time to give it for free use, now I'm battling with deadline with "mediabank" -site, where unauthorized download are not tolerated.