Restrict folder to Front End Users?

[gdur]

Hi the_obs,

I've tried to simulate what you wrote but on my system it works just the way one would expect.
Folder is unreachable from the outside while "Upoad" shows and enables downloading according to the authorized group. It's unclear to me how you have managed to get what you wrote...

[the_obs]

Hi the_obs,

I've tried to simulate what you wrote but on my system it works just the way one would expect.
Folder is unreqachable from the outside while "Upoad" shows and enables downloading according to the authorized group. It's unclear to me how you have managed to get what you wrote...

??
I don't understand your post... We both reached the same result with the same method, what is it you do not understand?

[gdur]

You wrote

The problem is when the user wishes to download the file, File List actually only directs the user to the folder, so the user cannot download the file since folder is protected (same Server Error message).

This is operating normal on my end...

[the_obs]

Doesn't work with File List, but it does with Uploads or Download Manager.

[gdur]

So what is File List?

[the_obs]

So what is File List?

It's a simple module which, as the name implies, lists the files in a directory. It lacks functionality but it works well.

http://dev.cmsmadesimple.org/projects/file-list-table

[manuel]

Many thanks to Callguy1000 & the_obs!!

I got my protected files set up without *any* issues!

What I used:
- FEU module
- A simple .htaccess file in the folder(s) that is(are) to be protected.
     
          order deny, allow
          deny from all
          allow from 127.0.0.1
     
(thx callguy1000)

combined with:
- DownloadManager module
(thx the_obs)

Greetings,
Manuel

[clefty]

@Calguy
The .htaccess trick works nicely. Could this be added to the Uploads module to create the.htaccess file as part of the dummy index.html creation?

I have done this on a client site as I can't trust them to create the .htaccess file!
I won't post code here as this is obviously contrary to rules posting changes to core files ..

Thanks,
Chris

[clefty]

Related to protecting direct access to the uploaded files, I've just noticed that search will return results for uploaded files.

If a description is set during upload, then a search on the description phrase will return the download url.

I am using FEU to ensure only logged in users have access to files, so clicking the url returns a "not authorised" message but I would like to have search ignore the uploads module.

I have tried with in the template holding the uploads module but this is not honoured.

Any ideas how to prevent this?

Thanks,
Chris

[tamsrud]

I had the need for restiction of all use of a given folder. I didnt want the client to use custom code or special modules for uploading the files.

My solution was the folowing:
1. Make a .htaccess inside /uploads/documents/ that redirects all request from this folder and subfolders to /download.php with the file as parameter
2. Make /download.php check with FEU that the user is logged in.
3. Present the user with the requested file if ok, else redirect to login page.

download.php is a customized version of securefile that also accepts plain text url as parameter.

.htaccess is the folowing:

Code: Select all

Options +FollowSymLinks
RewriteEngine on
RewriteBase /
RewriteRule ^(.+)$ download.php?url=uploads/documents/$1 [L]

The redirect is invicible to the user, and my client can upload documents without thinking of how the authentification works.

[fearmydesign]

I got my protected files set up without *any* issues!

What I used:
- FEU module
- A simple .htaccess file in the folder(s) that is(are) to be protected.
     
          order deny, allow
          deny from all
          allow from 127.0.0.1
     
(thx callguy1000)

combined with:
- DownloadManager module
(thx the_obs)

Hi Manuel, this is the first time I attempt this, but I am confused as to which FEU module to use... I see several listed in the module manager, can you tell me which one you chose?
I also tried downloading the DownloadManager but it keeps giving me an error, was this module discontinued?

I am also trying to secure files (i.e. pdfs, jpgs, docs etc) behind a protected Frontend User Management pages.

Thanks for your (everyones) help

Thanks

[manuel]

Hi Fearmydesign,

I don't believe the download manager is discontinued...
If you are having trouble installing it with the module manager, try downloading the XML file and using that to install.
http://dev.cmsmadesimple.org/projects/downloadmanager

The FEU module is this one:
http://dev.cmsmadesimple.org/projects/frontendusers

If you want to DISPLAY the jpgs in a website it won't be possible to "secure" them. (only if the visitor downloads them just as the other documents)
The only reason the file downloads can be protected is because you limit access to them to the localhost (= cmsms).
The software acts as a "man in the middle" (not the attack ), accesses the files and hands them to the logged in visitor. When you DISPLAY images the browser requests these and hence the files can't be protected as the request isn't coming from "localhost"...

ps: one more thing, you will probably also want to use the "CustomContent" module (the FEU module metionned above is a dependency) to limit access to certain pages or content blocks to logged in users.

Code: Select all

{if $ccuser->loggedin()}
Something
{else}
Something else
{/if}

You can find more information on securing parts of the menu tree using "customcontent" here: http://forum.cmsmadesimple.org/viewtopic.php?t=46284

Greetings,
Manuel

[manuel]

Related to protecting direct access to the uploaded files, I've just noticed that search will return results for uploaded files.

Dear Chris,

You can add the code below to your download manager templates.

Code: Select all

{if $item->accesstype == 0 || $ccuser->loggedin()}........{else}<b>Only avaialbe for <a href="loginpage">logged in users</a></b>{/if}

Greetings,
Manuel