Restrict folder to Front End Users?
Re: Restrict folder to Front End Users?
Hi the_obs,
I've tried to simulate what you wrote but on my system it works just the way one would expect.
Folder is unreachable from the outside while "Upoad" shows and enables downloading according to the authorized group. It's unclear to me how you have managed to get what you wrote...
I've tried to simulate what you wrote but on my system it works just the way one would expect.
Folder is unreachable from the outside while "Upoad" shows and enables downloading according to the authorized group. It's unclear to me how you have managed to get what you wrote...
Last edited by gdur on Sun Sep 26, 2010 7:17 pm, edited 1 time in total.
Re: Restrict folder to Front End Users?
??gdur wrote: Hi the_obs,
I've tried to simulate what you wrote but on my system it works just the way one would expect.
Folder is unreqachable from the outside while "Upoad" shows and enables downloading according to the authorized group. It's unclear to me how you have managed to get what you wrote...
I don't understand your post... We both reached the same result with the same method, what is it you do not understand?
Re: Restrict folder to Front End Users?
You wrote
This is operating normal on my end...The problem is when the user wishes to download the file, File List actually only directs the user to the folder, so the user cannot download the file since folder is protected (same Server Error message).
Re: Restrict folder to Front End Users?
Doesn't work with File List, but it does with Uploads or Download Manager.
Re: Restrict folder to Front End Users?
So what is File List?
Re: Restrict folder to Front End Users?
It's a simple module which, as the name implies, lists the files in a directory. It lacks functionality but it works well.gdur wrote: So what is File List?
http://dev.cmsmadesimple.org/projects/file-list-table
Re: Restrict folder to Front End Users?
Many thanks to Callguy1000 & the_obs!!
I got my protected files set up without *any* issues!
What I used:
- FEU module
- A simple .htaccess file in the folder(s) that is(are) to be protected.
order deny, allow
deny from all
allow from 127.0.0.1
(thx callguy1000)
combined with:
- DownloadManager module
(thx the_obs)
Greetings,
Manuel
I got my protected files set up without *any* issues!
What I used:
- FEU module
- A simple .htaccess file in the folder(s) that is(are) to be protected.
order deny, allow
deny from all
allow from 127.0.0.1
(thx callguy1000)
combined with:
- DownloadManager module
(thx the_obs)
Greetings,
Manuel
Do you like your open source cms? Buy from the CMSMS partners || Donate
Re: Restrict folder to Front End Users?
@Calguy
The .htaccess trick works nicely. Could this be added to the Uploads module to create the.htaccess file as part of the dummy index.html creation?
I have done this on a client site as I can't trust them to create the .htaccess file!
I won't post code here as this is obviously contrary to rules posting changes to core files ..
Thanks,
Chris
The .htaccess trick works nicely. Could this be added to the Uploads module to create the.htaccess file as part of the dummy index.html creation?
I have done this on a client site as I can't trust them to create the .htaccess file!
I won't post code here as this is obviously contrary to rules posting changes to core files ..
Thanks,
Chris
Re: Restrict folder to Front End Users?
Related to protecting direct access to the uploaded files, I've just noticed that search will return results for uploaded files.
If a description is set during upload, then a search on the description phrase will return the download url.
I am using FEU to ensure only logged in users have access to files, so clicking the url returns a "not authorised" message but I would like to have search ignore the uploads module.
I have tried with in the template holding the uploads module but this is not honoured.
Any ideas how to prevent this?
Thanks,
Chris
If a description is set during upload, then a search on the description phrase will return the download url.
I am using FEU to ensure only logged in users have access to files, so clicking the url returns a "not authorised" message but I would like to have search ignore the uploads module.
I have tried with in the template holding the uploads module but this is not honoured.
Any ideas how to prevent this?
Thanks,
Chris
Re: Restrict folder to Front End Users?
I had the need for restiction of all use of a given folder. I didnt want the client to use custom code or special modules for uploading the files.
My solution was the folowing:
1. Make a .htaccess inside /uploads/documents/ that redirects all request from this folder and subfolders to /download.php with the file as parameter
2. Make /download.php check with FEU that the user is logged in.
3. Present the user with the requested file if ok, else redirect to login page.
download.php is a customized version of securefile that also accepts plain text url as parameter.
.htaccess is the folowing:
The redirect is invicible to the user, and my client can upload documents without thinking of how the authentification works.
My solution was the folowing:
1. Make a .htaccess inside /uploads/documents/ that redirects all request from this folder and subfolders to /download.php with the file as parameter
2. Make /download.php check with FEU that the user is logged in.
3. Present the user with the requested file if ok, else redirect to login page.
download.php is a customized version of securefile that also accepts plain text url as parameter.
.htaccess is the folowing:
Code: Select all
Options +FollowSymLinks
RewriteEngine on
RewriteBase /
RewriteRule ^(.+)$ download.php?url=uploads/documents/$1 [L]
- fearmydesign
- Power Poster
- Posts: 363
- Joined: Sun Feb 28, 2010 10:54 pm
Re: Restrict folder to Front End Users?
Hi Manuel, this is the first time I attempt this, but I am confused as to which FEU module to use... I see several listed in the module manager, can you tell me which one you chose?manuel wrote:I got my protected files set up without *any* issues!
What I used:
- FEU module
- A simple .htaccess file in the folder(s) that is(are) to be protected.
order deny, allow
deny from all
allow from 127.0.0.1
(thx callguy1000)
combined with:
- DownloadManager module
(thx the_obs)
I also tried downloading the DownloadManager but it keeps giving me an error, was this module discontinued?
I am also trying to secure files (i.e. pdfs, jpgs, docs etc) behind a protected Frontend User Management pages.
Thanks for your (everyones) help
Thanks
Re: Restrict folder to Front End Users?
Hi Fearmydesign,
I don't believe the download manager is discontinued...
If you are having trouble installing it with the module manager, try downloading the XML file and using that to install.
http://dev.cmsmadesimple.org/projects/downloadmanager
The FEU module is this one:
http://dev.cmsmadesimple.org/projects/frontendusers
If you want to DISPLAY the jpgs in a website it won't be possible to "secure" them. (only if the visitor downloads them just as the other documents)
The only reason the file downloads can be protected is because you limit access to them to the localhost (= cmsms).
The software acts as a "man in the middle" (not the attack
), accesses the files and hands them to the logged in visitor. When you DISPLAY images the browser requests these and hence the files can't be protected as the request isn't coming from "localhost"...
ps: one more thing, you will probably also want to use the "CustomContent" module (the FEU module metionned above is a dependency) to limit access to certain pages or content blocks to logged in users.
You can find more information on securing parts of the menu tree using "customcontent" here: http://forum.cmsmadesimple.org/viewtopic.php?t=46284
Greetings,
Manuel
I don't believe the download manager is discontinued...
If you are having trouble installing it with the module manager, try downloading the XML file and using that to install.
http://dev.cmsmadesimple.org/projects/downloadmanager
The FEU module is this one:
http://dev.cmsmadesimple.org/projects/frontendusers
If you want to DISPLAY the jpgs in a website it won't be possible to "secure" them. (only if the visitor downloads them just as the other documents)
The only reason the file downloads can be protected is because you limit access to them to the localhost (= cmsms).
The software acts as a "man in the middle" (not the attack

ps: one more thing, you will probably also want to use the "CustomContent" module (the FEU module metionned above is a dependency) to limit access to certain pages or content blocks to logged in users.
Code: Select all
{if $ccuser->loggedin()}
Something
{else}
Something else
{/if}
Greetings,
Manuel
Last edited by manuel on Thu May 03, 2012 10:32 am, edited 2 times in total.
Do you like your open source cms? Buy from the CMSMS partners || Donate
Re: Restrict folder to Front End Users?
Dear Chris,clefty wrote:Related to protecting direct access to the uploaded files, I've just noticed that search will return results for uploaded files.
You can add the code below to your download manager templates.
Code: Select all
{if $item->accesstype == 0 || $ccuser->loggedin()}........{else}<b>Only avaialbe for <a href="loginpage">logged in users</a></b>{/if}
Manuel
Do you like your open source cms? Buy from the CMSMS partners || Donate