Jump to content

[solved, by alternative] How to create a secure $page (with dot-prefix) via API?

horst

By horst
in General Support

 Share

Recommended Posts

horst Hero Member

horst

Posted
Posted

Hi,

there is a need to create new pages via API, under site/assets/files/, that should be completly access blocked by PW (.htaccess) through a prefix dot. How can I achieve that through the API? 

$p = new Page();
??

 

Robin S Hero Member

Robin S

Posted
Posted

Hi @horst,

Do you mean a mean the access to the page is blocked, or access to files stored in a files/images field on the page?

For the page itself I would think you'd use role-based access, or just do not give the page's template a template file. But you would have thought of this already so maybe you need something else?

For the files you can enable  $config->pagefileSecure and then do not give the guest role access to the page. See the blog post and the $config docs. Also, there is the FieldtypeSecureFile module. 

  • Like 1
horst Hero Member

horst

Posted
  • Author
Posted

Hi @Robin S,

thanks for the hints. I search for a solution to secure pagedirectories from any http access (403 for everything). These pages are for internal use through a module. But I don't want to have the user to change $config settings for that. It should be done silently in the background for the module users.

So, I believe I have to go the .htaccess way per directory. Only thing here is, I have to support apche 2.2 and 2.4 together.

Does anybody know if this is working on every Apache 2.4 installation? 

<IfModule mod_authz_core.c>
	## directives for Apache 2.4
	Require all denied
</IfModule>

<IfModule !mod_authz_core.c>
	## directives for Apache 2.2
	Order deny,allow
	Deny from all
</IfModule>

Or if it is possible to find Apache 2.4 installations that do not have the mod_authz_core.c enabled / compiled in?

Martijn Geerts Hero Member

Martijn Geerts

Posted
Posted

Is is possible to hook on file added and place a htacces in it when not already exists? or do I misunderstood your question alltogether... 

file_put_contents('/path/to/the/specific/assets/folder/.htaccess', "<Files *.*>\n\tdeny from all\n</Files>\n");

 

  • Like 5
BitPoet Hero Member

BitPoet

Posted
Posted

Perhaps this small snippet for site/ready.php could be also sufficient (it prepends a dot to the directory name for pages with a given template): 

<?php

wire()->addHookAfter("PagefilesManager::path", null, "protectedpath");
	
function protectedpath(HookEvent $event) {
	$page = $event->object->page;
	if($page->template == 'specialpath') {
		$event->return = preg_replace('~(\d+/?)$~', '.$1', $event->return);
	}
}

 

  • Like 5
horst Hero Member

horst

Posted
  • Author
Posted

all very useful snippets and hints!

My current question was simply how the apache directives are that block access, and work in any Apache version (2.2, 2.4)

I thought there were a need for different terms, depending on the apache version. But now, after reading @Martijn Geerts example (Thanks!), I saw that the Files-directive is also available in Apache 2.4. (unchanged as it was in 2.2 and also 2.0 and 1.3, and ...). :lol:

So, thank you all for your help and tipps. This solved my question!

 

@BitPoet: this one is very handy too. I bookmarked it for later, other use cases. Thanks!

  • Like 2

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...