DownloadManager security [SOLVED]

[tophers]

I'm building a document repository that will use FEU to determine which documents a user sees. Following on the heels of vhaakman (http://forum.cmsmadesimple.org/viewtopi ... anager+FEU) I've implemented a system to pull the username of the FEUser, and display a list of documents in a category matching that username. System works great so far.

My question concerns security of the documents. You can still access them if you know the file path (e.g. /downloads/filename.pdf). The module handles the DISPLAY of the links, and even limits DOWNLOADS through the site, but is there any opportunity to restrict access at a SERVER level to the files, so that anyone not logged in is denied access? I've seen other posts pertaining to this, but haven't found one that successfully answers the question. The client wants to post some sensitive documents and needs assurances that they will in fact be secured.

[calguy1000]

I've described this before.

Although I've never used the download manager. the Uploads module provides a URL to obfuscate the original URL to the file and to gather statistics on downloads.

When using this.. you can create a .htaccess file in the appropriate directories that:
a: Disallows file indexes
b: Disallows access to all but 127.0.0.1

<limit GET POST HEAD DELETE>
order deny,allow
deny from all
allow from 127.0.0.1
</limit>

[tophers]

Too funny - I wrote that post before heading to a meeting, and on the drive there I recalled seeing you post something similar that I had tried in the past. Made a note to look into it when I got back to my desk. The last time I didn't have much success, but I think it's because of the method I was using. This time around, with DownloadManager, it's working perfectly.

For anyone following this simply add an .htaccess file with the above contents to your directory (in my case it was /downloads, as required by the DownloadManager module). Thanks again Calguy.