secure upload/download of files by registered users?

[dellington]

I'm looking for the ability for registered users, who have unique custom content pages, to be able to download and upload files securely. In other words, Group A should be able to upload files which I the administrator can see, but which Group B will have no access to, and vice versa. I may also need to put up alink to a file which Group B can access on their private custom content page, but which no one in Group A will see. Is this possible in CMSMS? I have been looking at the Uploads module but it doesn't seem like it quite does what I want.

[calguy1000]

take a look at the CustomContent module, the FrontEndUsers module, and the Uploads module.

[dellington]

I have all 3 of those modules installed, and I have successfully created a custom content page for my first group. But it is not clear to me how to set up an uloads area that only this group has access to.

[calguy1000]

Create a category in the uploads module, mark it as listable

then put the appropriate uploads tags inside the content that only members from group A can see.

i.e:

{cms_module module=Uploads mode=summary category=groupa}
{cms_module module=Uploads mode=upload category=groupa}

[dellington]

Thanks! I've got this working now, more or less, but the document is not what I would consider "secure," merely hidden. What I mean is, there is a URL for the test document (which I have called test.txt) and when I try to access that URL from another computer/browser that is not logged in, there is no username/password prompt or any barrier to downloading it. See what I mean:

test.txt

[calguy1000]

Yes, you can still go to /uploads/categoryname/filename

to solve this problem you can put a .htaccess file in the category directory to limit access only to the web server host.

there's already an option to put an empty index.html file in there when the category is created, to stop browsing.

[horus]

I'm sure i've read someone here in the forum who can place uploaded files out of web folder but after a long search i can't find that message.

On my hosting I've a folder accessible through script but not through web so it would be the perfect place to put files and restrict download to FrontEndUsers.
I find in Uploads.module.php on line 214 (Revision: 69) the _categoryPath function. If I change config['uploads_path'] with other path like secure_uploads_path (eventually set in config.php) uploads module still works or changing this function will invalidate all.

[dellington]

to solve this problem you can put a .htaccess file in the category directory to limit access only to the web server host.

there's already an option to put an empty index.html file in there when the category is created, to stop browsing.

Yes, I saw the option of the empty index file, that is helpful. Would you mind elaborating on the .htaccess thing? I am more of a designer than a developer. I googled .htaccess and learned some things about password protecting directories, but that sounds different than what you are saying. You mention limiting access to the web server host. Does that mean users could only download files by going through the CMSMS interface? They couldn't type in the URL directly?

[mahjong]

You mention limiting access to the web server host. Does that mean users could only download files by going through the CMSMS interface? They couldn't type in the URL directly?

Yes, exactly.

[sube]

You mention limiting access to the web server host. Does that mean users could only download files by going through the CMSMS interface? They couldn't type in the URL directly?

Yes, exactly.

I'm also looking for solution to this problem.. if someone could give more direct answers than just hints I'd be very happy

[calguy1000]

Here's one way to do it:

Code: Select all

SetEnvIfNoCase User-Agent "^$" locally_linked=1
SetEnvIfNoCase Referer "^http://www.domain.com/" locally_linked=1
Order Deny,Allow
Deny from all
allow from env=locally_linked

You should also be able to do a

Code: Select all

allow from 127.0.0.1