Jump to content

How does pagefileSecure work?


suntrop
 Share

Recommended Posts

as far as I know (never used it so far) it works on newly created files only (so after enabling pagefileSecure) and changes file urls, think by adding a hyphen or something which I guess .htaccess blocks already..have a look at wire/config.php

excerpt:

/**
 * Secure page files?
 *
 * When, true, prevents http access to file assets of access protected pages.
 *
 * Set to true if you want files on non-public or unpublished pages to be
 * protected from direct URL access.
 *
 * When used, such files will be delivered at a URL that is protected from public access.
 *
 * @var bool
 *
 */
$config->pagefileSecure = false;

/**
 * Prefix for secure page files
 *
 * One or more characters prefixed to the pathname of secured file dirs.
 *
 * If use of this feature originated with a pre-2.3 install, this may need to be 
 * specified as "." rather than "-". 
 *
 */
$config->pagefileSecurePathPrefix = '-';

to get it working you need to block access by guest role for those templates, have a read at https://processwire.com/talk/topic/5292-proctecting-files-from-non-logged-in-users/

might be of interest:
https://processwire.com/talk/topic/15622-pagefilesecure-and-pageispublic-hook-not-working/

 

  • Like 2
Link to comment
Share on other sites

Thanks Can.

I knew that already. I was wondering how it works. The brief description in the config is a little less to know about it.

I need to go a step deeper I think, because the files I am going to protect are for specific users only (billing PDF)

Link to comment
Share on other sites

If you enable the pagefileSecure, requets to serve files from /site/assets/files are not delivered directly by the webserver but routed through ProcessWire, which does the permission checks. So it slows down the delivery of the files, because they are served by PHP.

If you only need to secure specific files, you could also try the SecureFile module: http://modules.processwire.com/modules/fieldtype-secure-file/
It is an extension of a regular file field with the possibility to customize the storage location - here you would typically choose a folder outside the web root.

Cheers

  • Like 2
Link to comment
Share on other sites

  • 4 years later...

Hey!

I just added this line in my config.php

$config->pagefileSecure = true;

I've got two questions:

  1. Is there a way to change existing files to secure ones?
  2. Do i necessarily need the line:
    $config->pagefileSecurePathPrefix = '-';

Thanks and greets!

  • Like 1
Link to comment
Share on other sites

On 11/5/2021 at 12:41 AM, tires said:
  1. Is there a way to change existing files to secure ones?
  2. Do i necessarily need the line:
    $config->pagefileSecurePathPrefix = '-';

Thanks and greets!

I've done a small test. Let's say you have a template "onlymembers" with a files-field "members_pdf". In this case your pdf file is safe as soon as you set pagefileSecure to true AND restrict the access of the template "onlymembers" (i.e. remove all guest access rights). ProcessWire gave me a 404 page. You don't need the pagefileSecurePathPrefix line. It is set by default.

Hope that helps.

  • Like 1
Link to comment
Share on other sites

Thanks a lot! That helps me!

I recognized that the secure directories now looks like this "-myfolder". But if i echo the file-url the path is without the "-" i.e. "myfolder/myfile.pdf".
Is that how it should work?

 

And is there a solution for this problem:

1 hour ago, Kholja said:

Is there a way to change existing files to secure ones?

 

Thanks!!!

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...