[solved, by alternative] How to create a secure $page (with dot-prefix) via API?

[horst]

Hi,

there is a need to create new pages via API, under site/assets/files/, that should be completly access blocked by PW (.htaccess) through a prefix dot. How can I achieve that through the API?

$p = new Page();
??

 

[Robin S]

Hi @horst,

Do you mean a mean the access to the page is blocked, or access to files stored in a files/images field on the page?

For the page itself I would think you'd use role-based access, or just do not give the page's template a template file. But you would have thought of this already so maybe you need something else?

For the files you can enable  $config->pagefileSecure and then do not give the guest role access to the page. See the blog post and the $config docs. Also, there is the FieldtypeSecureFile module. 

[horst]

Hi @Robin S,

thanks for the hints. I search for a solution to secure pagedirectories from any http access (403 for everything). These pages are for internal use through a module. But I don't want to have the user to change $config settings for that. It should be done silently in the background for the module users.

So, I believe I have to go the .htaccess way per directory. Only thing here is, I have to support apche 2.2 and 2.4 together.

Does anybody know if this is working on every Apache 2.4 installation?

<IfModule mod_authz_core.c>
	## directives for Apache 2.4
	Require all denied
</IfModule>

<IfModule !mod_authz_core.c>
	## directives for Apache 2.2
	Order deny,allow
	Deny from all
</IfModule>

Or if it is possible to find Apache 2.4 installations that do not have the mod_authz_core.c enabled / compiled in?

[Martijn Geerts]

Is is possible to hook on file added and place a htacces in it when not already exists? or do I misunderstood your question alltogether...

file_put_contents('/path/to/the/specific/assets/folder/.htaccess', "<Files *.*>\n\tdeny from all\n</Files>\n");

 

[BitPoet]

Perhaps this small snippet for site/ready.php could be also sufficient (it prepends a dot to the directory name for pages with a given template):

<?php

wire()->addHookAfter("PagefilesManager::path", null, "protectedpath");
	
function protectedpath(HookEvent $event) {
	$page = $event->object->page;
	if($page->template == 'specialpath') {
		$event->return = preg_replace('~(\d+/?)$~', '.$1', $event->return);
	}
}

 

[horst]

all very useful snippets and hints!

My current question was simply how the apache directives are that block access, and work in any Apache version (2.2, 2.4)

I thought there were a need for different terms, depending on the apache version. But now, after reading @Martijn Geerts example (Thanks!), I saw that the Files-directive is also available in Apache 2.4. (unchanged as it was in 2.2 and also 2.0 and 1.3, and ...).

So, thank you all for your help and tipps. This solved my question!

 

@BitPoet: this one is very handy too. I bookmarked it for later, other use cases. Thanks!