How does pagefileSecure work?

[suntrop]

I couldn't find much about the pagefileSecure option. Is this just a runtime setting I can switch on or off anytime? Or is it only for files uploaded later? Is there anything changing in the files/assets folder?

[Can]

as far as I know (never used it so far) it works on newly created files only (so after enabling pagefileSecure) and changes file urls, think by adding a hyphen or something which I guess .htaccess blocks already..have a look at wire/config.php

excerpt:

/**
 * Secure page files?
 *
 * When, true, prevents http access to file assets of access protected pages.
 *
 * Set to true if you want files on non-public or unpublished pages to be
 * protected from direct URL access.
 *
 * When used, such files will be delivered at a URL that is protected from public access.
 *
 * @var bool
 *
 */
$config->pagefileSecure = false;

/**
 * Prefix for secure page files
 *
 * One or more characters prefixed to the pathname of secured file dirs.
 *
 * If use of this feature originated with a pre-2.3 install, this may need to be 
 * specified as "." rather than "-". 
 *
 */
$config->pagefileSecurePathPrefix = '-';

to get it working you need to block access by guest role for those templates, have a read at https://processwire.com/talk/topic/5292-proctecting-files-from-non-logged-in-users/

might be of interest:
https://processwire.com/talk/topic/15622-pagefilesecure-and-pageispublic-hook-not-working/

 

[suntrop]

Thanks Can.

I knew that already. I was wondering how it works. The brief description in the config is a little less to know about it.

I need to go a step deeper I think, because the files I am going to protect are for specific users only (billing PDF)

[Wanze]

If you enable the pagefileSecure, requets to serve files from /site/assets/files are not delivered directly by the webserver but routed through ProcessWire, which does the permission checks. So it slows down the delivery of the files, because they are served by PHP.

If you only need to secure specific files, you could also try the SecureFile module: http://modules.processwire.com/modules/fieldtype-secure-file/
It is an extension of a regular file field with the possibility to customize the storage location - here you would typically choose a folder outside the web root.

Cheers

[suntrop]

Thanks Wanze! I had a look at it, but I think I will develop something on my own. I am always in worries when using 3rd party plugins for a vital part of my website  Especially if it is not "easily" exchangeable. 

[Wanze]

@suntrop

That decision is up to you of course. Since the module is released open source, you are free to change the code according to your needs - should you need any starting point ;-)

[suntrop]

Yeah …  maybe I'll give it a try. Had just a short look into the code, don't know if I understand everything  And that could be the bottle neck, if I need to update it somewhen

[tires]

Hey!

I just added this line in my config.php

$config->pagefileSecure = true;

I've got two questions:

1. Is there a way to change existing files to secure ones?
2. Do i necessarily need the line:
   $config->pagefileSecurePathPrefix = '-';

Thanks and greets!

[tires]

BTW.
Is there a way to check if a file is secure or not?
Or to check if there are insecure files on my website?

Thanks!

[Kholja]

On 11/5/2021 at 12:41 AM, tires said:

1. Is there a way to change existing files to secure ones?
2. Do i necessarily need the line:
   $config->pagefileSecurePathPrefix = '-';

Thanks and greets!

I've done a small test. Let's say you have a template "onlymembers" with a files-field "members_pdf". In this case your pdf file is safe as soon as you set pagefileSecure to true AND restrict the access of the template "onlymembers" (i.e. remove all guest access rights). ProcessWire gave me a 404 page. You don't need the pagefileSecurePathPrefix line. It is set by default.

Hope that helps.

[Kholja]

On 11/8/2021 at 1:17 PM, tires said:

Is there a way to check if a file is secure or not?
Or to check if there are insecure files on my website?

Thanks!

As of ProcessWire 3.0.166 this may be an option:

https://processwire.com/api/ref/page/secure-files/

[tires]

Thanks a lot! That helps me!

I recognized that the secure directories now looks like this "-myfolder". But if i echo the file-url the path is without the "-" i.e. "myfolder/myfile.pdf".
Is that how it should work?

 

And is there a solution for this problem:

1 hour ago, Kholja said:

Is there a way to change existing files to secure ones?

 

Thanks!!!

[tires]

After a few month walk by i just want to ask again:

Is there a way to change existing files into secure files?
If i understand this right after i add the $config->pagefileSecure = true to my config file all files from now on are secure ... but not the old ones, right?

[tires]

On 10/11/2022 at 10:37 PM, tires said:

Is there a way to change existing files into secure files?
If i understand this right after i add the $config->pagefileSecure = true to my config file all files from now on are secure ... but not the old ones, right?

Ok, i find it out:

If i add "$config->pagefileSecure = true;" to my site/config.php all files are secure immediately!
I does't have to do any further steps to secure old files.