CMS Made Simple Forums

Posted: **Tue Mar 24, 2009 12:38 pm**

We use the Frontend User Security and it works very well for the pages stored in CMSMS. It doesn't extend to files (.pdf and the like) that are Uploaded to the site and security is circumvented via Google searches and the like. I was wondering if anyone had considered a method of extending Frontend Security to prevent access to Uploaded files?

I was thinking that securing the actual document upload directory would likely cause a fundamental break in the operation of CMSMS (but perhaps not for someone more clever than me). Given that thinking and as a work-around, it might be possible to create a separate, secure directory wherein I can manually move sensitive documents to while updating the links imbedded in pages to access those sensitive documents.

Has anyone else encountered this problem? If so, do you have thoughts on a solution?

Posted: **Tue Mar 24, 2009 1:40 pm**

MTLauer wrote: We use the Frontend User Security and it works very well for the pages stored in CMSMS. It doesn't extend to files (.pdf and the like) that are Uploaded to the site and security is circumvented via Google searches and the like. I was wondering if anyone had considered a method of extending Frontend Security to prevent access to Uploaded files?

I was thinking that securing the actual document upload directory would likely cause a fundamental break in the operation of CMSMS (but perhaps not for someone more clever than me). Given that thinking and as a work-around, it might be possible to create a separate, secure directory wherein I can manually move sensitive documents to while updating the links imbedded in pages to access those sensitive documents.

Has anyone else encountered this problem? If so, do you have thoughts on a solution?

Use Uploads module for protect your files

Alby

Posted: **Mon Mar 30, 2009 3:23 pm**

I believe that I already do. I currently use the CMSMS File Manager to upload the files. Are you referring to this feature or some other feature?

Michael

Posted: **Mon Mar 30, 2009 3:28 pm**

MTLauer wrote: I believe that I already do. I currently use the CMSMS File Manager to upload the files. Are you referring to this feature or some other feature?

No Uploads module and not FileManager module

Alby

Posted: **Thu Apr 02, 2009 4:36 pm**

I see where the Uploads module allows users to upload files to the site. However, the problem I'm addressing is that I'd like .pdf files and the like that are stored within certain directories to not be accessible unless you are registered for access using FrontEndUser module. I realize this is inconsistent with the permissions required for the CMSMS sites.

My current work-around is to move an uploaded file to a secure directory (outside of CMSMS) and then to publish the UserID/Password for that directory on the page that will only display if the person is a registered FrontEndUser. This prevents Google and other search engines from indexing the file and additionally prevents anyone not having the UserID/Password from accessing the file.

Posted: **Thu Apr 02, 2009 4:59 pm**

My advice is install Upload and look better.
Upload hide your files with fake names and permit download to your FEU allowed group.

Alby

Posted: **Thu Apr 02, 2009 5:05 pm**

I agree with alby. Install Uploads and work with it a bit...

Posted: **Wed Apr 22, 2009 5:01 pm**

I have the same situation. FEU and CC are working great. I have installed uploads and only allowed permission to download from the folder to my FEU group. But, yet it still lets anyone in to download the files if you know the name or find via search.

Thoughts? Thanks.

Posted: **Wed Apr 22, 2009 5:07 pm**

jtcreate wrote: I have the same situation. FEU and CC are working great. I have installed uploads and only allowed permission to download from the folder to my FEU group. But, yet it still lets anyone in to download the files if you know the name or find via search.

How you know names?

Alby

Posted: **Wed Apr 22, 2009 5:15 pm**

I posted all the files and created all the users inside the group. If someone logs in and gives the link to the PDF file to someone else, all they would have to do is paste in URL and it opens up. I am hoping that if they give out the link /uploads/files/file.pdf that it will tell them they are unauthorized to download.

Posted: **Wed Apr 22, 2009 5:52 pm**

Ok. I see from this post: http://forum.cmsmadesimple.org/index.ph ... 808.0.html that it won't protect files if someone knows the exact path.

Posted: **Wed Apr 22, 2009 6:00 pm**

jtcreate wrote: If someone logs in and gives the link to the PDF file to someone else, all they would have to do is paste in URL and it opens up.

If a logged in user is giving out the link produced by the Uploads module, the link should look something like this:
http://www.mysite.com/index.php?mact=Up ... 24&page=24

If the unauthorized/unauthenticated user pastes this URL into a browser, they will in fact get the "unauthorized" message.

But there's a bigger issue here: if your authorized users are giving links to unauthorized users, perhaps the authorized user should have his permissions removed. (i.e. the software can only do so much. The human factor is another issue.)

Posted: **Wed Apr 22, 2009 6:08 pm**

Very good point. These aren't ultra critical files. We're just trying to keep the casual thief out and are trusting our authorized users not to pass the link around.

As for file naming... I uploaded the files via FTP into that directory and am using pretty urls. How do I get the links to look like that? When a user logs in they get a link to either 1 or 2 files. Those links were manually set as /uploads/files/filename.pdf on each protected page.

Also, thank you for your time and help today. It is much appreciated.

Posted: **Wed Apr 22, 2009 9:34 pm**

jtcreate wrote: As for file naming... I uploaded the files via FTP into that directory and am using pretty urls. How do I get the links to look like that? When a user logs in they get a link to either 1 or 2 files. Those links were manually set as /uploads/files/filename.pdf on each protected page.

Why to uploaded files via FTP? Now I know how you know file name.
Use Uploads modules, this create a fake name link for your files.

Alby

Posted: **Thu Apr 23, 2009 12:17 am**

Alby is correct.

If you use the Uploads module to upload the files and to display the links on your page (via the {Uploads} call), your links will look just like the example I posted, and will be protected (when that URL is used, not when a direct path/filename.ext link is used).

If you're using FTP to upload the files, and hardcoding the links onto each page, you're missing all the functionality of Uploads.

CMS Made Simple Forums

Extending Frontend User Security to Uploaded Files

Extending Frontend User Security to Uploaded Files

Re: Extending Frontend User Security to Uploaded Files

Re: Extending Frontend User Security to Uploaded Files

Re: Extending Frontend User Security to Uploaded Files

Re: Extending Frontend User Security to Uploaded Files

Re: Extending Frontend User Security to Uploaded Files

Re: Extending Frontend User Security to Uploaded Files

Re: Extending Frontend User Security to Uploaded Files

Re: Extending Frontend User Security to Uploaded Files

Re: Extending Frontend User Security to Uploaded Files

Re: Extending Frontend User Security to Uploaded Files

Re: Extending Frontend User Security to Uploaded Files

Re: Extending Frontend User Security to Uploaded Files

Re: Extending Frontend User Security to Uploaded Files

Re: Extending Frontend User Security to Uploaded Files