Protecting files?

Permalink
Hi

I uploaded few documents to my trial website and want to make them available to registered members only. How do I do that? "Sets" feature doesnt seem to restrict access, and even setting the file password doesnt seem to work.

View Replies:
jshannon replied on at Permalink Reply
jshannon
How do you want them protected? The password should work if you're providing a download link (something like /download/111/222).

Most times when you link to a file, you end up using the direct filename (such as with an image). That link looks like /files/4238/4475/filename.ext. There's really no way to protect such a file as your webserver is pulling it directly off of the filesystem.

So, in order to protect the file you'll need to only provide download links. To protect with more than a password (ie, based on users and groups) you can enable 'advanced permissions' (http://www.concrete5.org/documentation/general-topics/simple-permissions/).

Personally, I have "sensitive" (not private) files that I protect through obscurity. Ie, the /files/xxxx/yyyy link is random and unique enough. Nobody is going to guess it. The /download/xxx link doesn't provide any info about the file, so while someone could get curious and download files sequentially, it gets pretty boring. I just make sure that the links are only provided to those people that I want to be able to get the file.

James
Bronekk replied on at Permalink Reply
"There's really no way to protect such a file as your webserver is pulling it directly off of the filesystem" that's what bothers me. Could I put something in .htaccess in files directory ?

The background is that I'm going to use C5 for a small association website, and some of the documents which are for members only, may contain personal information (e.g. list of members with addresses etc.). I don't want to take any risks with those, there might be legal trouble if I did.

Perhaps "Paste from Word" or "Scribd Document" add-in will provide solution - just don't upload sensitive file.
jshannon replied on at Permalink Reply
jshannon
well, i guess you could set up the .htaccess to prevent the file's from getting served from apache. then only provide the download link, and let c5 manage access and permissions. I think that's the best solution... you could probably even set something up to track who "views" (ie, downloads) the files.

but you can't really use .htaccess for permissions itself, because those permissions wouldn't fit in with c5's accounts... at the most you could probably use a common password, but you might as well just do what's above.

James
Adreco replied on at Permalink Reply
Adreco
Have you looked at simply accessing them through a members only page? Page access can be limited to registered user group in Page Permissions. Advanced permissions can also be activated for more versatility in member access.
If they need to be on a page open for view to the public, advanced permissions for viewing can be applied down to the block level.
slafleche replied on at Permalink Reply
slafleche
I'm also looking for a solution to this problem. The members only page is a good idea, but there's a problem. If you had the link to the file, you could still download it.

You can put a password to protect it... but that's not great. The ideal solution (at least in my case) is to only allow logged in users to access files from a specific set.

Since some files uploaded in the file manager are public and other private... i don't think the .htaccess is a solution.
jshannon replied on at Permalink Reply
jshannon
Well... what's the solution?

Is routing every file request through a PHP file a reasonable requirement? That'd, by far, be the most thorough solution. How much slower does this make things? Webservers are pretty fast at static files, and putting a php in the middle, especially one that has to do db calls for permissions, could slow things down a LOT.

Maybe a way to configure which files the webserver can serve natively? An .htaccess that's created/deleted if the file is "anonymous"?

Anything else?
abra100pro replied on at Permalink Reply
abra100pro
Talked with my ISP about it - they said, there is no way to save a file from downloading when one has the URL to the file as long as the file is in the webroot. The only way is, to put it outside the webroot. That's as much as I got to know about this. I'd be very interested in another solution.
tallacman replied on at Permalink Reply
tallacman
With a pdf you could make it password protected. Same for a zip file.
SheldonB replied on at Permalink Reply
SheldonB
http://www.concrete5.org/community/forums/customizing_c5/restricting-files-access/#519498 you can use htaccess if you want