Jump to content

Secure page files


JFn
 Share

Recommended Posts

When $config->pagefileSecure is on (so you secure your unpublished page files) and you clone a page that has an image field, the newly created page (which is unpublished by default), does not show any of the images or thumbnails. You only get to see transparent thumbnails.

Is this expected behavior? The "Secure page files" option mentions:

Quote

When, true, prevents http access to file assets of access protected pages.
Set to true if you want files on non-public or unpublished pages to be protected from direct URL access.
When used, such files will be delivered at a URL that is protected from public access.

Surely as a superuser or editor you should be able to see the images and thumbnails of an unpublished page, even if it's protected from public access?

Or am I missing something?

Link to comment
Share on other sites

8 minutes ago, dragan said:

is this in the frontend or backend? Or both?

Logged in as superuser, the unpublished copied page, in the frontend with selector "include=all" does return the url of the image, but surfing to it in site/assets/files gives a 'not found'. Which is fine since this is what the $config->pagefileSecure should do, restrict access to the unpublished page its images, if you try to get it publicly.

But I was under the impression that regardless, you should be able to access the images in the admin backend, since this is where you manage the images, whether the page is published or not. This is not the case at the moment, when $config->pagefileSecure is on, you can't see the images of an unpublished copied page.

Link to comment
Share on other sites

17 hours ago, JFn said:

But I was under the impression that regardless, you should be able to access the images in the admin backend, since this is where you manage the images, whether the page is published or not.

Just tested it locally in two different ProcessWire instances and it worked as expected. Used my admin user and I saw the images, was able to edit/delete them.

ProcessWire 3.0.133 and 3.0.98.

Can you actually view these images by taking their URLs? Maybe it's just a cache or browser glitch in the backend somehow.

Are there 404 or other warnings in the console > network tab?

  • Like 1
Link to comment
Share on other sites

3 hours ago, wbmnfktr said:

Are there 404 or other warnings in the console > network tab?

yes, there is a 404 for the image in the backend admin. If I go directly to the asset url the same 'not found'.
Are you sure you made a copy of an existing page and kept it unpublished?

In this instance I'm on 3.0.123, but it's not version related, because I had it before in the past, with older versions, and even with another host.

Something else I noticed, the image field states the correct Dimension and Filesize, but initially zero (0) Variations. Maybe the variations don't get copied correctly when keeping the page unpublished and assets page files secured?

Edited by JFn
correction
Link to comment
Share on other sites

Doesn't even need to be a copied page.
Just $config->pagefileSecure to on, and unpublished pages do not show images anymore in the admin backend.

Maybe a server setting? I did not do any custom changes to the pw 3 htaccess file.

Link to comment
Share on other sites

Update

My bad ? after a checking everything again, I did have an old custom change I forgot about in the htaccess file...
(Directive #18. where Ryan put in a warning that it could produce a 404 in combination with $config->pagefileSecure)

Thanks Hero's for looking into it.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...