Restrict folder to Front End Users?

[the_obs]

Hey all,
Is it possible to restrict acces to a web folder (i.e. domain.com/folder/) and its contents to only a group of Front End Users?
Thanks!

[jmcgin51]

CMSMS does not work on a true directory hierarchy model.  Are you looking to restrict access to documents (files) or to page content.

If you really need to restrict access to a physical directory, CMSMS cannot do it.  You need to use .htaccess or other methods.  If you're looking to restrict access to files or page content, then CMSMS can do it via the Uploads module, FEU/CC, etc.

HOWEVER, be aware that a user who knows the URL can still access files "protected" by CMSMS/Uploads/FEU/CC.

[the_obs]

CMSMS does not work on a true directory hierarchy model.  Are you looking to restrict access to documents (files) or to page content.

If you really need to restrict access to a physical directory, CMSMS cannot do it.  You need to use .htaccess or other methods.  If you're looking to restrict access to files or page content, then CMSMS can do it via the Uploads module, FEU/CC, etc.

HOWEVER, be aware that a user who knows the URL can still access files "protected" by CMSMS/Uploads/FEU/CC.

... which is why I need an alternative system.
Is there a way I can interface .htaccess configurations with FEU protection?

like
{if user logged in}
{access directory with credentials bla bla and list contents}  //via File List module
{else}
Get off my turf!
{/if}

[NaN]

If you really need to restrict access to a physical directory, CMSMS cannot do it.

Don't say that

There is a plugin SecureFileDownload that will do that.
It is pretty simple to use and even if it is marked to be stale it should still work very well.
Since it is plugin it is not that subject to changes to the core.
Read the readme.txt that is included in he download zip.

And there is a module DownloadManager that also allows obfuscasion of the real path to a file (similar to SecureFileDownload).
In conjunction with CustomContent it should also be able to restrict file access to FrontendUsers only.

[the_obs]

Here is what I want:
If user is logged in => File List lists content of a folder and user can download folder contents
If user isn't logged in => User cannot access folder via URL, File List doesn't list contents.

So basically, the only way to access the folder would be through File List.

[NaN]

I don't know FileList.
How is the output performed?
Is there a template for it?
Does the template contain the urls to the files?

If so, you can just combine SecureFileDownload and FileList.
If user is logged in call FileList.
In FileList template use SecureFileDownload to link to that files (actually it will link to a php script that checks login status, reads the file from the folder and returns it. so no one needs direct access to that folder. this is done with .htaccess)

[jmcgin51]

If you really need to restrict access to a physical directory, CMSMS cannot do it.

Don't say that

There is a plugin SecureFileDownload that will do that.
It is pretty simple to use and even if it is marked to be stale it should still work very well.
Since it is plugin it is not that subject to changes to the core.
Read the readme.txt that is included in he download zip.

And there is a module DownloadManager that also allows obfuscasion of the real path to a file (similar to SecureFileDownload).
In conjunction with CustomContent it should also be able to restrict file access to FrontendUsers only.

Thanks Nan.  Correct me if I'm wrong, but neither of these options actually protects the folder (prevents the user from accessing the folder contents).  They both just obfuscate the URL.  That's why my original response indicated that it is beyond the scope of CMSMS to actually protect a directory.  Depending on the level of security needed, this may be sufficient.

I'll certainly defer to those with more experience/knowledge, but this is my understanding.

[the_obs]

Unfortunately, I do not have sufficiently advanced knowledge of PHP and CMSMS to answer your question. File list is provided as a function.xxx php file:

http://s3.amazonaws.com/cmsms/downloads ... _1.0.2.zip

I would greatly appreciate if you could check it out and tell me whether it can be modified to suite my needs.
Many thanks!

[NaN]

That's why my original response indicated that it is beyond the scope of CMSMS to actually protect a directory.

Well you're right.
My fault. Protection cannot be done with CMSms.
You always need to do some server side settings to prevent direct access to the files.
It just sound to me like if you mean the_obs purposes would be not possible with CMSms in general.

But i think this is not the case.

I guess the_obs knows (at least now because if our answers ) that the protection itself is part of the server not of the CMS.

But you can still grant access to the content of protected folders/files using a CMSms plugin/module.

To deny the direct access to a folder by default (using a .htaccess file or whatever your server provides) and use a plugin/module of CMSms that reads the files content (by not accessing the file directly from the web but from the server using a php function) and returns it (with correct headers) to the browser only if the user is logged in should be secure enough (imho).

Anyway i would never provide really sensitive data to the web using PHP and CMSms.
(No offence here. I love PHP and CMSms but i would rather pay much money for security than using free open source software - somehow i'm a bit paranoid )

I would greatly appreciate if you could check it out and tell me whether it can be modified to suite my needs.

The problem is not to show the folders content only to FrontendUsers but to prevent to access the folder directly with a link even if you're not logged in. The basic idea is to deny any access to the folder and its files from "outside". That means any access by the browser using a link that links directly to the file. This can be done with a .htaccess file that is placed in the folder at your server. Instead of a direct link to the file you link to a script (a module or a php file passing the path to the file in a query var - encoded would be best) that checks if the user is logged in. If so it reads the files content using a php function and returns the files content to the browser. If not it redirects to an error page.

This is the theory.

As i could see FileList would need some modification because you don't have any control of the output. It is all in the code itself and so you cannot manipulate the link to file that easy to link to the download.php of the SecureFileDownload plugin instead of the file directly. If i would modify it i would combine SecureFileDownload and FileList and merge it to a new plugin.

I am about to do so but as i read in the feature requests of DownloadManager Frontenduser integration is planned there. So if you have some time i would wait and stick with DownloadManager. It is pretty nice and has an active developer.

[the_obs]

Thanks for the lengthy response.
Unfortunately, my knowledge of PHP is extremely limited, and as a result, I have no idea how to write a script to deliver the file internally, although I understand the mechanism.

I checked DownloadManager out, and yes it does support restricting files to FEU Groups, but still doesn't offer a way to do so with a protected directory...

[gdur]

I'm seeking for the same or similar feature for the last couple of days but also no luck thusfar. There's very little information to be found while Googling.
What the_obs would like to achieve is in other words (stating the problem differently might trigger someones creativity) the following;
A directory or a tree in the webroot needs to be protected from direct access.
The usual way to do this is indeed using .htaccess.
If you would offer access to certain persons a simple usename/password mechanism is available through Apache.
To use this in parallel with FEU is not an option because:
- this is very user un-friendly (anoying), one has to login twice...
- somehow the FEU username/ password needs to be synchronized with the .htaccess password file wich leads to a whole other problem.

FEU is using sessions and a session id stored as a cooky to my understanding. (once logged in in FEU closing the tab in your while not closing the browser itself does not close the session, thus it's possible to access the session to directly surf to a restricted page without the need of logging in again)
In theory it should be possible to call a script from .htaccess that verifies if a there is a valid session (checking the session id) and in that case provide access to this user.
If this were possible in a practical way that would serve a lot and could even be considered as a standard CMSMS feature. This also could be used to protect parts of the CMSMS tree which only are needed for the backend, provided the login concept for standard users is similar to the login concept of FEU...
I'm too new to PHP and therefor feel unable to create a solution in the short term but hopefully my explanation triggers an expert PHP/.htaccess  coder who also believes this would be a valid approach.

function_file_list is not really an option to my believe, it's rather a work around up to a certain extend.

I would like to give an example of inconvenience of certain approaches as seen i.e. with Downloadmanager. Although being a fastastic module it doesn't offer a good mechanism for maintenance as it rewrites the filenames on disc after uploading. If a file needs to be updated this has to be done by hand, file by file. If the .htaccess approach would be possible it then will become far more easy. A java filemanager then could be used to offer a directory tree to authorized users and maintenance could be easily done i.e. by means of rsync in a nightly cron job.

[the_obs]

I think you are complicating the problem.
I don't need individual users to be able to access the directory (hence I do not need to authorize users one by one), but groups, or indeed any logged in user.
Hence we create ONE .htaccess user (e.g. username=fileusr, pwd=1234) to access the protected directory, and then with smarty logic:

{if user logged in} (or if user memberof xyz)
{call file list with paramaters user="fileusr" password="1234" directory=".../ProtectedDirectory/"}
{else}
error message
{/if}

[calguy1000]

This is a very simple problem to solve.  I've done it hundreds of times.

Needed: 
  a) FEU, 

  b) Uploads module (or some other module that obfuscates the URLS to the files properly).
      Uploads module already handles limiting access via FEU group, but does not handle
      nested folders.

  c) A simple .htaccess file in the folder(s) that is(are) to be protected.
     
          order deny, allow
          deny from all
          allow from 127.0.0.1
     

[chrismarie]

Calguy, is the "allow from" IP address for localhost? I have FEU and Uploads set up, but I think the .htaccess would be a good addition.

I'm getting hung up on the nested folder situation.  I was trying to use File List as a solution after I read the_obs' post, but the UDT isn't spitting out the list.

Code: Select all

echo "<ul>";
$dir = "/uploads/" . $params["category"] . "/";
if (is_dir($dir)) {
    if ($dh = opendir($dir)) {
    if ($handle = opendir($dir)) {
    while (false !== ($file = readdir($handle))) {
        if ($file != "." && $file != "..") {
            echo "<li><a href='$dir$file' target='_blank'>$file</a></li>";
        }
    }
    closedir($handle);
}
    }
    
}
echo "</ul>";

[the_obs]

This is a very simple problem to solve.  I've done it hundreds of times.

Needed: 
  a) FEU, 

  b) Uploads module (or some other module that obfuscates the URLS to the files properly).
      Uploads module already handles limiting access via FEU group, but does not handle
      nested folders.

  c) A simple .htaccess file in the folder(s) that is(are) to be protected.
     
          order deny, allow
          deny from all
          allow from 127.0.0.1
     

That worked great in limiting access to the folder from the outside (I get a "Server Error! The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there was an error in a CGI script." when trying to access the protected folder, is this normal?)
File List however has no problems listing the contents of the folder.
The problem is when the user wishes to download the file, File List actually only directs the user to the folder, so the user cannot download the file since folder is protected (same Server Error message).

How can I solve this?

EDIT: The DownloadManager module works perfectly. Manages to list and feed the download to the user, only if he is logged in/member of the right FEU group. Great module!