Jump to content
suntrop

How does pagefileSecure work?

Recommended Posts

I couldn't find much about the pagefileSecure option. Is this just a runtime setting I can switch on or off anytime? Or is it only for files uploaded later? Is there anything changing in the files/assets folder?

Share this post


Link to post
Share on other sites

as far as I know (never used it so far) it works on newly created files only (so after enabling pagefileSecure) and changes file urls, think by adding a hyphen or something which I guess .htaccess blocks already..have a look at wire/config.php

excerpt:

/**
 * Secure page files?
 *
 * When, true, prevents http access to file assets of access protected pages.
 *
 * Set to true if you want files on non-public or unpublished pages to be
 * protected from direct URL access.
 *
 * When used, such files will be delivered at a URL that is protected from public access.
 *
 * @var bool
 *
 */
$config->pagefileSecure = false;

/**
 * Prefix for secure page files
 *
 * One or more characters prefixed to the pathname of secured file dirs.
 *
 * If use of this feature originated with a pre-2.3 install, this may need to be 
 * specified as "." rather than "-". 
 *
 */
$config->pagefileSecurePathPrefix = '-';

to get it working you need to block access by guest role for those templates, have a read at https://processwire.com/talk/topic/5292-proctecting-files-from-non-logged-in-users/

might be of interest:
https://processwire.com/talk/topic/15622-pagefilesecure-and-pageispublic-hook-not-working/

 

  • Like 2

Share this post


Link to post
Share on other sites

Thanks Can.

I knew that already. I was wondering how it works. The brief description in the config is a little less to know about it.

I need to go a step deeper I think, because the files I am going to protect are for specific users only (billing PDF)

Share this post


Link to post
Share on other sites

If you enable the pagefileSecure, requets to serve files from /site/assets/files are not delivered directly by the webserver but routed through ProcessWire, which does the permission checks. So it slows down the delivery of the files, because they are served by PHP.

If you only need to secure specific files, you could also try the SecureFile module: http://modules.processwire.com/modules/fieldtype-secure-file/
It is an extension of a regular file field with the possibility to customize the storage location - here you would typically choose a folder outside the web root.

Cheers

  • Like 2

Share this post


Link to post
Share on other sites

Thanks Wanze! I had a look at it, but I think I will develop something on my own. I am always in worries when using 3rd party plugins for a vital part of my website :-) Especially if it is not "easily" exchangeable. 

Share this post


Link to post
Share on other sites

@suntrop

That decision is up to you of course. Since the module is released open source, you are free to change the code according to your needs - should you need any starting point ;-)

  • Like 1

Share this post


Link to post
Share on other sites

Yeah …  maybe I'll give it a try. Had just a short look into the code, don't know if I understand everything :-)  And that could be the bottle neck, if I need to update it somewhen

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...