File Upload Attribute for User Registration from jordanlev.com - restricted
I have successfully been able to use Jordan Lev's 'File Upload Attribute for User Registration' found at <a href="http://c5blog.jordanlev.com/blog/2011/12/file-upload-attribute-for-user-registration/">HERE</a>. This works great and all the CV's registrants upload successfully go tohttp://www.mysite.com/files/file_upload_attribute/... as intended however the client has pointed out that anyone who gets the address of the files can open it without having to be logged into C5. Although the file URL is prepended with a series of digits, this still seems a little insecure for privacy reasons.
Is there any way of locking down the /files/file_upload_attribute/ folder to only be accessible if logged in to C5 as administrator?
Any help will be hugely appreciated.
I am very sorry if I've misunderstood something but it seems this option requires the admin to upload to file manager and make the changes on a per-file basis.
Is that correct or have I completely missed something here :-)
Thank you SheldonB for taking the time to help me out, I hope you can assist a little further.
Jordan has a thing called magic data. It's a simple way to write and run scripts for c5. Magic data dose have an extension to the file upload add on. I would pm him and ask how he might set up an upload to set to a specific location, because you cant set a location through file sets
(I think 2nd file locations was kind of a second after thought for c5)
at the bottom of the thread in the link there is another way to block file access by setting the .htaccess to limit a specific file type
(might work better for you because you are limiting access to a specific file-type)
each method has its pro and cons ...
One of the advanced options of FEFU is to integrate with my Magic Data addon and can be used to provide a file uploader that uploads files to file sets dependant on who the current user is.
The rest would be a matter of setting the appropriate permissions, so a user could upload to a set and see a download link to what they have uploaded, but not have file manager access to the file. Magic Data deliberately cannot be used to change permissions on-the-fly.
As with any attribute, Magic Data can read the value, but it has no built in deeper understanding of JordanLev's file upload attribute type.