File Upload Security
Posted: Tue Jan 09, 2007 5:44 pm
Hi - I was playing around with uploading files through the 'insert/edit hyperlink' capability of the rich text editor I use when editing page content. I noticed that when I upload a file, it is also be donwloaded by typing it's url directly into the address bar of the browser.
My question is this:
What if I want to be able to upload files to CMS into a directory that is not directly browsable, but which CMS is able to access through links on a page. The reasoning for this would be: I set up CMS, I create a page available only to certain users through FEU, I want that page to have links to some Word documents, but I want those Word documents to be accessible to only users with access to that page - they shouldn't be able to type in the Word documents url directly and be able to view or download the file.
Is there a way to do this in CMS? I tried messing with the uploads_path and uploads_url setings in the config.php file, but either I didn't figure what I needed to do to make it work, or I am going about this wrong.
Anyone have any thoughts? Is there a better way to work this problem?
Thanks.
Michael
My question is this:
What if I want to be able to upload files to CMS into a directory that is not directly browsable, but which CMS is able to access through links on a page. The reasoning for this would be: I set up CMS, I create a page available only to certain users through FEU, I want that page to have links to some Word documents, but I want those Word documents to be accessible to only users with access to that page - they shouldn't be able to type in the Word documents url directly and be able to view or download the file.
Is there a way to do this in CMS? I tried messing with the uploads_path and uploads_url setings in the config.php file, but either I didn't figure what I needed to do to make it work, or I am going about this wrong.
Anyone have any thoughts? Is there a better way to work this problem?
Thanks.
Michael