douwe

Yes!! Thank you, that's exactly what I need. I can also leave away the userid/created_users_id check that I had in my template php-file. The hook is also providing for that. Thanks again for this very educating reply (for me at least).

Thank you for helping me @kongondo and @Robin S. Disabling the 'view pages' role does prevent accessing the files. A 404-page shows up, but the user can't create a new page either. The goal I'm trying to achieve is that a logged in user can only download the files attached to his own pages ($user->id == $page->created_users_id). Logged in users are creating pages with uploads in the frontend (api). I made a role for logged in users, but than they can still download each others files. I think I need a hook somewhere so that not only the role is checked but also the created_users_id. Is that the way to go? And to which function should I apply the hook?

Hi @kongondo, Thanks for the quick reply. New page (+files) is created after enabling $config->pagefileSecure. I create the page on the frontend with the api, but i also tried creating a new page in the backend. Both have the same result: Access with hyphen triggers a forbidden error. Access without hyphen does download the file even if 'm not logged in.

Hi, I'm a happy new user of Processwire. I would like to use the new template setting 'prevent direct access to file assets'. So I upgraded to the newest dev version 3.0.168. For a template I select the option 'Yes always, regardless of page status or access control'. In the file system is see that al the pagid's for pages with this template are being prefixed with a hyphen, f.e. ../assets/files/-1030/.. And when I try to load http://localhost:8080/site/assets/files/-1030/test.pdf i get a forbidden error, so that seems ok. But... when I try to access the page without the hyphen (http://localhost:8080/site/assets/files/1030/test.pdf) the file is still being downloaded?! I also tried setting $config->pagefileSecure = true and creating a new page with a file, but that doesn't work either. Is there any other setting I should apply to prevent direct access? Kind regards, Douwe.