Extending Frontend User Security to Uploaded Files

[MTLauer]

We use the Frontend User Security and it works very well for the pages stored in CMSMS.  It doesn't extend to files (.pdf and the like) that are Uploaded to the site and security is circumvented via Google searches and the like.  I was wondering if anyone had considered a method of extending Frontend Security to prevent access to Uploaded files?

I was thinking that securing the actual document upload directory would likely cause a fundamental break in the operation of CMSMS (but perhaps not for someone more clever than me).  Given that thinking and as a work-around, it might be possible to create a separate, secure directory wherein I can manually move sensitive documents to while updating the links imbedded in pages to access those sensitive documents.

Has anyone else encountered this problem?  If so, do you have thoughts on a solution?

[alby]

We use the Frontend User Security and it works very well for the pages stored in CMSMS.  It doesn't extend to files (.pdf and the like) that are Uploaded to the site and security is circumvented via Google searches and the like.  I was wondering if anyone had considered a method of extending Frontend Security to prevent access to Uploaded files?

I was thinking that securing the actual document upload directory would likely cause a fundamental break in the operation of CMSMS (but perhaps not for someone more clever than me).  Given that thinking and as a work-around, it might be possible to create a separate, secure directory wherein I can manually move sensitive documents to while updating the links imbedded in pages to access those sensitive documents.

Has anyone else encountered this problem?  If so, do you have thoughts on a solution?

Use Uploads module for protect your files

Alby

[MTLauer]

I believe that I already do.  I currently use the CMSMS File Manager to upload the files.  Are you referring to this feature or some other feature?

Michael

[alby]

I believe that I already do.  I currently use the CMSMS File Manager to upload the files.  Are you referring to this feature or some other feature?

No Uploads module and not FileManager module

Alby

[MTLauer]

I see where the Uploads module allows users to upload files to the site.  However, the problem I'm addressing is that I'd like .pdf files and the like that are stored within certain directories to not be accessible unless you are registered for access using FrontEndUser module.  I realize this is inconsistent with the permissions required for the CMSMS sites.

My current work-around is to move an uploaded file to a secure directory (outside of CMSMS) and then to publish the UserID/Password for that directory on the page that will only display if the person is a registered FrontEndUser.  This prevents Google and other search engines from indexing the file and additionally prevents anyone not having the UserID/Password from accessing the file.

[alby]

My advice is install Upload and look better.
Upload hide your files with fake names and permit download to your FEU allowed group.

Alby

[jmcgin51]

I agree with alby.  Install Uploads and work with it a bit...

[jtcreate]

I have the same situation. FEU and CC are working great. I have installed uploads and only allowed permission to download from the folder to my FEU group. But, yet it still lets anyone in to download the files if you know the name or find via search.

Thoughts? Thanks.

[alby]

I have the same situation. FEU and CC are working great. I have installed uploads and only allowed permission to download from the folder to my FEU group. But, yet it still lets anyone in to download the files if you know the name or find via search.

How you know names?

Alby

[jtcreate]

I posted all the files and created all the users inside the group. If someone logs in and gives the link to the PDF file to someone else, all they would have to do is paste in URL and it opens up. I am hoping that if they give out the link /uploads/files/file.pdf that it will tell them they are unauthorized to download.

[jtcreate]

Ok. I see from this post: http://forum.cmsmadesimple.org/index.ph ... 808.0.html that it won't protect files if someone knows the exact path.

[jmcgin51]

If someone logs in and gives the link to the PDF file to someone else, all they would have to do is paste in URL and it opens up.

If a logged in user is giving out the link produced by the Uploads module, the link should look something like this:
http://www.mysite.com/index.php?mact=Up ... 24&page=24

If the unauthorized/unauthenticated user pastes this URL into a browser, they will in fact get the "unauthorized" message.

But there's a bigger issue here: if your authorized users are giving links to unauthorized users, perhaps the authorized user should have his permissions removed.  (i.e. the software can only do so much.  The human factor is another issue.)

[jtcreate]

Very good point. These aren't ultra critical files. We're just trying to keep the casual thief out and are trusting our authorized users not to pass the link around.

As for file naming... I uploaded the files via FTP into that directory and am using pretty urls. How do I get the links to look like that? When a user logs in they get a link to either 1 or 2 files. Those links were manually set as /uploads/files/filename.pdf on each protected page.

Also, thank you for your time and help today. It is much appreciated.

[alby]

As for file naming... I uploaded the files via FTP into that directory and am using pretty urls. How do I get the links to look like that? When a user logs in they get a link to either 1 or 2 files. Those links were manually set as /uploads/files/filename.pdf on each protected page.

Why to uploaded files via FTP? Now I know how you know file name.
Use Uploads modules, this create a fake name link for your files.

Alby

[jmcgin51]

Alby is correct.

If you use the Uploads module to upload the files and to display the links on your page (via the {Uploads} call), your links will look just like the example I posted, and will be protected (when that URL is used, not when a direct path/filename.ext link is used).

If you're using FTP to upload the files, and hardcoding the links onto each page, you're missing all the functionality of Uploads.