- Moderated by:
- Support
Download module security
-
- rank:
-
Freshman
- registered:
- February 2005
- Status:
- offline
- last visit:
- 07.05.05
- Posts:
- 7
How can I prevent users from downloading certain files?
One way is not showing them but they would still have access.
I could use Apache's security but then you need to enter another password and i would have to manage 2 passwords per user.
Any idea, tip, hint would be welcome !
Thanks,
PowerBe
-
- rank:
-
Professional
- registered:
- April 2004
- Status:
- offline
- last visit:
- 21.01.08
- Posts:
- 2723
Use the Permissions Module. There is a sticky tutorial at the top of the Permissions forum.
--
Photography | PHP | Other
-
- rank:
-
Freshman
- registered:
- February 2005
- Status:
- offline
- last visit:
- 07.05.05
- Posts:
- 7
Thanks for your reply.
I understand now how to set the permissions at PHP level so you can't access or even see the file but, seen the download module requires a valid URL of the file, a user could still access the file directly on the server. Looks like I'm looking for a way to promote the permissions to the level of the Apache aliases.
What am I missing?
My target, only allow a certain user / group download access of a certain file (so, also, not allowing unauthorised users to access the file(s) directly on my Apache-server).
Thanks,
PowerBe
-
- rank:
-
Helper
- registered:
- July 2004
- Status:
- offline
- last visit:
- 12.06.05
- Posts:
- 114
That would require a bit of a rewrite of the module. It can be done, however. If you password protect the directory using Apache's security, you'd have to pass the username and password along with the request, so you'd probably want to use something like the Snoopy class to actually fetch the file. It would just be a simple matter of replacing the pnRedirect() call that redirects the download request straight to the file with a routine that populates the user and password fields within a Snoopy object and then fetch the file that way. That would prevent anyone from being able to directly access the file with their browser by bypassing the download module entirely.
Ed
-
- rank:
-
Freshman
- registered:
- February 2005
- Status:
- offline
- last visit:
- 07.05.05
- Posts:
- 7
Sounds like work to be done.
I just found a way around this to prevent the file from being accessed outside the PHP, by setting following in the Apache httpd.conf file;
SetEnvIf Referer "^http://www.MyServer.com/" AllowThis
Alias /Patches/ "/Downloads/Patches/"
<directory></directory>Downloads/Patches">
Order deny,allow
Deny from all
Allow from env=AllowThis
Well, not that secure...
PowerBe
|
