Secure files with advanced permissions

Permalink
I have some pdf files uploaded through file manager. I've enabled advanced permissions, and under 'access & permissions' on each pdf unticked 'read' and 'search' for guests. I assumed that would make the files inaccessible to guests, but they are still fully accessible. I tried again on a fresh install to make sure it wasn't something I did. Are these permissions supposed to work on files or not? If not, is there another way to limit access like this?

mrnoisy
 
mrnoisy replied on at Permalink Reply
mrnoisy
Bumpetty Bumpetty Bump.

Is there no way to allow file access to logged in users and restrict access to guests?
bw1 replied on at Permalink Reply
Also wondering about this... I've got permissions on the file set restricted to unregistered/guests, and any links from the site are also on blocks that are restricted, but if you know the URL to the file you can still get it.

I'm not sure if this is something that can be prevented, or if that's as far as it goes?

Any info would be appreciated.
joelhansen replied on at Permalink Reply
joelhansen
I'm interested in this as well.

I was able to mask the download link to paid content with the Digital Download add on, but generally speaking...
admin replied on at Permalink Reply
Ditto. I seem to remember this worked for me at some point but it doesn't now.

This seems to clearly be a bug.
admin replied on at Permalink Reply
I discovered what the issue was with my download link. When I added the file for download, I had hard-coded a direct link to the file (e.g.,http://domain.com/files/8213/1853/3886/file.ext)....

When I used the "Add File" function in the content editor or added it as a File block, the permissions acted as expected.

It is true that if they know the direct URL (http://domain.com/files/8213/1853/3886/file.ext) someone can still download the file, but using the correct method effectively masks the direct URL so no one should be able to figure it out. The URL is set tohttp://domain.com/index.php/download_file/91/273/,... which acts as expected with permissions.

I guess someone could scan your server in some way and list all files (I don't know) but in the normal course of a visitor going to your site, they will not have access to the direct file URL.
joelhansen replied on at Permalink Reply
joelhansen
Hey hey,

Interesting - good find. I already masked the URL in the File Manager to only display if they are Admin, but that's super good to know.

However, I think this may not be an issue with the Document Library, or even the File Manager, rather an architectural 'choice' regarding permissions at large.

For example, with Advanced Permissions turned on I wanted to throw the site into a 'Maintenance Mode', so I just edited the Permissions of the Home page (everything else is set to inherit these permissions) and changed the basic View privilege to Admin. Files uploaded by logged in users through the Document Library, however, are still available for direct download by Guests (not logged in). (http://mysite.com/files/5613/5069/6663/file_name.doc)

C5 offers beautiful control through Advanced Permissions of Pages and Blocks, but I don't understand control over directories, nor am I sure it's even possible (.htaccess/ Web server control?)

Hope we can get some input from one of 'the guys' in power. :)

Best,

Joel
jawbonelid replied on at Permalink Reply
jawbonelid
This is an old thread but I have a simple solution for anyone else struggling with the same problem:

Create an Alternate Storage Directory in System & Settings > File Storage Locations.

Create the directory on your server

Add an .htaccess file to the new directory containing:
order deny,allow
deny from all

Move the files you want to protect into the new directory using the file manager (click on the file > access & permissions > storage location tab.

That's it. You can no longer navigate directly to any of the files in the protected directory but files can be downloaded when linked by C5 file links.
digievo replied on at Permalink Reply
digievo
Thanks for this suggestion.

I have followed your steps and cannot access the file if I use the full link in a browser.

http://www.mysite.com/files2/6913/7359/7588/test.pdf...

However if I use the file block or add in a file through the content block, I am able to copy the link and then open that link in the browser:

http://www.mysite.com/index.php/download_file/view/138/76/...

Is there another type of URL I need to use?

We have discovered that users are logging in and then passing across the download link to other users.

Thanks
davidfurler replied on at Permalink Reply
I just wanted to add a reply here, as although it is an old thread, I followed jawbonelid's directions above and wanted to confirm they worked for me?
frankdesign replied on at Permalink Reply
In concrete5.8 the files cannot be downloaded when linked by C5 file links

when have the correct permissions in c5

If they are stored in the directory /application/private_files

if it has the .htaccess file as above

https://mysite.co.uk/download_file/1234/0... redirects to

https://mysite.co.uk/application/private_files/1234/1234/4321/privat...

which is inaccesible

and if it does not have the .htaccess anyone can access it if they know the URL