Hi - I was playing around with uploading files through the 'insert/edit hyperlink' capability of the rich text editor I use when editing page content. I noticed that when I upload a file, it is also be donwloaded by typing it's url directly into the address bar of the browser.
My question is this:
What if I want to be able to upload files to CMS into a directory that is not directly browsable, but which CMS is able to access through links on a page. The reasoning for this would be: I set up CMS, I create a page available only to certain users through FEU, I want that page to have links to some Word documents, but I want those Word documents to be accessible to only users with access to that page - they shouldn't be able to type in the Word documents url directly and be able to view or download the file.
Is there a way to do this in CMS? I tried messing with the uploads_path and uploads_url setings in the config.php file, but either I didn't figure what I needed to do to make it work, or I am going about this wrong.
Anyone have any thoughts? Is there a better way to work this problem?
Thanks.
Michael
File Upload Security
Re: File Upload Security
You (or your webhost) can disable directory browsing, which will prevent visitors from being able to type in "yoursite.com/downloads" and getting a list of all the files in that directory.
However, a user who knows the exact URL of a file could still type in "yoursite.com/downloads/exactfilename.fileextension" and view the file. I'm not aware of a way to protect against this, unless each file were embedded in a CustomContent-protected CMSMS page.
However, a user who knows the exact URL of a file could still type in "yoursite.com/downloads/exactfilename.fileextension" and view the file. I'm not aware of a way to protect against this, unless each file were embedded in a CustomContent-protected CMSMS page.
-
calguy1000
- Support Guru
- Posts: 8169
- Joined: Tue Oct 19, 2004 6:44 pm
Re: File Upload Security
Try the uploads module. It handle's a bit of this. it stores the files in the uploads// directory, but with an index.html file in that directory by default to prevent browsing. Links to files are munged (well, they're not, but they link to some php code that then sends the file to the user after collecting some statistics). it is still possible however for users to download the file uploads//filename.doc if they know the exact file name, and the category, but they won't find this stuff out easily.
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
