File Upload Attribute for User Registration from jordanlev.com - restricted
Permalink
Hi all,
I have successfully been able to use Jordan Lev's 'File Upload Attribute for User Registration' found at <a href="http://c5blog.jordanlev.com/blog/2011/12/file-upload-attribute-for-user-registration/">HERE</a>. This works great and all the CV's registrants upload successfully go tohttp://www.mysite.com/files/file_upload_attribute/... as intended however the client has pointed out that anyone who gets the address of the files can open it without having to be logged into C5. Although the file URL is prepended with a series of digits, this still seems a little insecure for privacy reasons.
Is there any way of locking down the /files/file_upload_attribute/ folder to only be accessible if logged in to C5 as administrator?
Any help will be hugely appreciated.
Richard
I have successfully been able to use Jordan Lev's 'File Upload Attribute for User Registration' found at <a href="http://c5blog.jordanlev.com/blog/2011/12/file-upload-attribute-for-user-registration/">HERE</a>. This works great and all the CV's registrants upload successfully go tohttp://www.mysite.com/files/file_upload_attribute/... as intended however the client has pointed out that anyone who gets the address of the files can open it without having to be logged into C5. Although the file URL is prepended with a series of digits, this still seems a little insecure for privacy reasons.
Is there any way of locking down the /files/file_upload_attribute/ folder to only be accessible if logged in to C5 as administrator?
Any help will be hugely appreciated.
Richard
Thanks SheldonB, I went through that and set up the alternate storage location as the /files/file_upload_attribute/ folder and everything went fine however how would I go about automating this so that when the user uploads a CV via the registration section, the file uploads to /files/file_upload_attribute/ (which already occurs), File Manager then needs to recognise the file is there (without manually having to upload the file to File Manager) and then have the permission added to all files within that storage folder to only accept admins.
I am very sorry if I've misunderstood something but it seems this option requires the admin to upload to file manager and make the changes on a per-file basis.
Is that correct or have I completely missed something here :-)
Thank you SheldonB for taking the time to help me out, I hope you can assist a little further.
Richard.
I am very sorry if I've misunderstood something but it seems this option requires the admin to upload to file manager and make the changes on a per-file basis.
Is that correct or have I completely missed something here :-)
Thank you SheldonB for taking the time to help me out, I hope you can assist a little further.
Richard.
I understand - I am not sure of a clear answer to that because you would need to set the location in the upload script
Jordan has a thing called magic data. It's a simple way to write and run scripts for c5. Magic data dose have an extension to the file upload add on. I would pm him and ask how he might set up an upload to set to a specific location, because you cant set a location through file sets
(I think 2nd file locations was kind of a second after thought for c5)
at the bottom of the thread in the link there is another way to block file access by setting the .htaccess to limit a specific file type
(might work better for you because you are limiting access to a specific file-type)
each method has its pro and cons ...
Jordan has a thing called magic data. It's a simple way to write and run scripts for c5. Magic data dose have an extension to the file upload add on. I would pm him and ask how he might set up an upload to set to a specific location, because you cant set a location through file sets
(I think 2nd file locations was kind of a second after thought for c5)
at the bottom of the thread in the link there is another way to block file access by setting the .htaccess to limit a specific file type
(might work better for you because you are limiting access to a specific file-type)
each method has its pro and cons ...
My Front End File Uploader addon provides a block that allows users to pop up a file uploader.
http://www.concrete5.org/marketplace/addons/front-end-file-uploader...
One of the advanced options of FEFU is to integrate with my Magic Data addon and can be used to provide a file uploader that uploads files to file sets dependant on who the current user is.
http://www.concrete5.org/marketplace/addons/magic-data/...
The rest would be a matter of setting the appropriate permissions, so a user could upload to a set and see a download link to what they have uploaded, but not have file manager access to the file. Magic Data deliberately cannot be used to change permissions on-the-fly.
As with any attribute, Magic Data can read the value, but it has no built in deeper understanding of JordanLev's file upload attribute type.
http://www.concrete5.org/marketplace/addons/front-end-file-uploader...
One of the advanced options of FEFU is to integrate with my Magic Data addon and can be used to provide a file uploader that uploads files to file sets dependant on who the current user is.
http://www.concrete5.org/marketplace/addons/magic-data/...
The rest would be a matter of setting the appropriate permissions, so a user could upload to a set and see a download link to what they have uploaded, but not have file manager access to the file. Magic Data deliberately cannot be used to change permissions on-the-fly.
As with any attribute, Magic Data can read the value, but it has no built in deeper understanding of JordanLev's file upload attribute type.
http://www.concrete5.org/community/forums/customizing_c5/restrictin...