I uploaded few documents to my trial website and want to make them available to registered members only. How do I do that? "Sets" feature doesnt seem to restrict access, and even setting the file password doesnt seem to work.
Most times when you link to a file, you end up using the direct filename (such as with an image). That link looks like /files/4238/4475/filename.ext. There's really no way to protect such a file as your webserver is pulling it directly off of the filesystem.
So, in order to protect the file you'll need to only provide download links. To protect with more than a password (ie, based on users and groups) you can enable 'advanced permissions' (http://www.concrete5.org/documentation/general-topics/simple-permissions/).
Personally, I have "sensitive" (not private) files that I protect through obscurity. Ie, the /files/xxxx/yyyy link is random and unique enough. Nobody is going to guess it. The /download/xxx link doesn't provide any info about the file, so while someone could get curious and download files sequentially, it gets pretty boring. I just make sure that the links are only provided to those people that I want to be able to get the file.
The background is that I'm going to use C5 for a small association website, and some of the documents which are for members only, may contain personal information (e.g. list of members with addresses etc.). I don't want to take any risks with those, there might be legal trouble if I did.
Perhaps "Paste from Word" or "Scribd Document" add-in will provide solution - just don't upload sensitive file.
but you can't really use .htaccess for permissions itself, because those permissions wouldn't fit in with c5's accounts... at the most you could probably use a common password, but you might as well just do what's above.
If they need to be on a page open for view to the public, advanced permissions for viewing can be applied down to the block level.
You can put a password to protect it... but that's not great. The ideal solution (at least in my case) is to only allow logged in users to access files from a specific set.
Since some files uploaded in the file manager are public and other private... i don't think the .htaccess is a solution.
Is routing every file request through a PHP file a reasonable requirement? That'd, by far, be the most thorough solution. How much slower does this make things? Webservers are pretty fast at static files, and putting a php in the middle, especially one that has to do db calls for permissions, could slow things down a LOT.
Maybe a way to configure which files the webserver can serve natively? An .htaccess that's created/deleted if the file is "anonymous"?