How do you want them protected? The password should work if you're providing a download link (something like /download/111/222).

Most times when you link to a file, you end up using the direct filename (such as with an image). That link looks like /files/4238/4475/filename.ext. There's really no way to protect such a file as your webserver is pulling it directly off of the filesystem.

So, in order to protect the file you'll need to only provide download links. To protect with more than a password (ie, based on users and groups) you can enable 'advanced permissions' (http://www.concrete5.org/documentation/general-topics/simple-permissions/).

Personally, I have "sensitive" (not private) files that I protect through obscurity. Ie, the /files/xxxx/yyyy link is random and unique enough. Nobody is going to guess it. The /download/xxx link doesn't provide any info about the file, so while someone could get curious and download files sequentially, it gets pretty boring. I just make sure that the links are only provided to those people that I want to be able to get the file.

James

"There's really no way to protect such a file as your webserver is pulling it directly off of the filesystem" that's what bothers me. Could I put something in .htaccess in files directory ?

The background is that I'm going to use C5 for a small association website, and some of the documents which are for members only, may contain personal information (e.g. list of members with addresses etc.). I don't want to take any risks with those, there might be legal trouble if I did.

Perhaps "Paste from Word" or "Scribd Document" add-in will provide solution - just don't upload sensitive file.

well, i guess you could set up the .htaccess to prevent the file's from getting served from apache. then only provide the download link, and let c5 manage access and permissions. I think that's the best solution... you could probably even set something up to track who "views" (ie, downloads) the files.

but you can't really use .htaccess for permissions itself, because those permissions wouldn't fit in with c5's accounts... at the most you could probably use a common password, but you might as well just do what's above.

James

Have you looked at simply accessing them through a members only page? Page access can be limited to registered user group in Page Permissions. Advanced permissions can also be activated for more versatility in member access.
If they need to be on a page open for view to the public, advanced permissions for viewing can be applied down to the block level.

I'm also looking for a solution to this problem. The members only page is a good idea, but there's a problem. If you had the link to the file, you could still download it.

You can put a password to protect it... but that's not great. The ideal solution (at least in my case) is to only allow logged in users to access files from a specific set.

Since some files uploaded in the file manager are public and other private... i don't think the .htaccess is a solution.

Well... what's the solution?

Is routing every file request through a PHP file a reasonable requirement? That'd, by far, be the most thorough solution. How much slower does this make things? Webservers are pretty fast at static files, and putting a php in the middle, especially one that has to do db calls for permissions, could slow things down a LOT.

Maybe a way to configure which files the webserver can serve natively? An .htaccess that's created/deleted if the file is "anonymous"?

Anything else?

Talked with my ISP about it - they said, there is no way to save a file from downloading when one has the URL to the file as long as the file is in the webroot. The only way is, to put it outside the webroot. That's as much as I got to know about this. I'd be very interested in another solution.

With a pdf you could make it password protected. Same for a zip file.

http://www.concrete5.org/community/forums/customizing_c5/restricting-files-access/#519498 you can use htaccess if you want