Prevent direct access to file assets

[douwe]

Hi,

I'm a happy new user of Processwire. I would like to use the new template setting 'prevent direct access to file assets'.

So I upgraded to the newest dev version 3.0.168. For a template I select the option 'Yes always, regardless of page status or access control'. In the file system is see that al the pagid's for pages with this template are being prefixed with a hyphen, f.e. ../assets/files/-1030/..
And when I try to load http://localhost:8080/site/assets/files/-1030/test.pdf i get a forbidden error, so that seems ok.

But... when I try to access the page without the hyphen (http://localhost:8080/site/assets/files/1030/test.pdf) the file is still being downloaded?!
I also tried setting $config->pagefileSecure = true and creating a new page with a file, but that doesn't work either.

Is there any other setting I should apply to prevent direct access?

Kind regards, Douwe.

[kongondo]

23 minutes ago, douwe said:

I'm a happy new user of Processwire.

Hi @douwe,

Welcome to ProcessWire and the forums.

24 minutes ago, douwe said:

But... when I try to access the page without the hyphen (http://localhost:8080/site/assets/files/1030/test.pdf) the file is still being downloaded?!
I also tried setting $config->pagefileSecure = true and creating a new page with a file, but that doesn't work either.

Was this page created before or after you enabled $config->pagefileSecure? pagefileSecure only works for pages you created after you enabled it. I am not 100% sure the same constraint applies in the case of template-level secure files.

[douwe]

Hi @kongondo,

Thanks for the quick reply.

New page (+files) is created after enabling $config->pagefileSecure. 
I create the page on the frontend with the api, but i also tried creating a new page in the backend.
Both have the same result:
Access with hyphen triggers a forbidden error.
Access without hyphen does download the file even if 'm not logged in.

 

 

 

 

[kongondo]

17 hours ago, douwe said:

Access without hyphen does download the file even if 'm not logged in.

OK. I'll see if I can replicate this on a new install.

[Robin S]

19 hours ago, douwe said:

But... when I try to access the page without the hyphen (http://localhost:8080/site/assets/files/1030/test.pdf) the file is still being downloaded?!

Are you testing this as a non-logged-in user, e.g. in an incognito window? The superuser is never restricted so if you are testing as a superuser then PW is going to serve you the file no matter what.

19 hours ago, douwe said:

And when I try to load http://localhost:8080/site/assets/files/-1030/test.pdf i get a forbidden error, so that seems ok.

Don't include the hyphen in the URL. The correct URL in this case would be http://localhost:8080/site/assets/files/1030/test.pdf. The point is that direct access to the file at its actual location is forbidden, and instead PHP will grant or block access to the file depending on if the user is allowed.

[kongondo]

18 hours ago, douwe said:

Access without hyphen does download the file even if 'm not logged in.

Tested and it works fine. As Robin S suggested above, you are probably logged in. Try in a different browser or in incognito.

[kongondo]

28 minutes ago, Robin S said:

Are you testing this as a non-logged-in user, e.g. in an incognito window?

That seems to be the case... 

18 hours ago, douwe said:

Access without hyphen does download the file even if 'm not logged in.

 

Edited November 24, 2020 by kongondo

[Robin S]

54 minutes ago, kongondo said:

That seems to be the case...

Oh, right. Then the other thing to check is that the guest role does not have view access for the template. The notes for the "Prevent direct access to file assets" setting explain that this option means that files have the same access as the page that owns them.

So if you want to deny file access to guests (or any other role besides superuser) then you must deny view access to the template for that role. 

[douwe]

Thank you for helping me @kongondo and @Robin S.
Disabling the 'view pages' role does prevent accessing the files. A 404-page shows up, but the user can't create a new page either.

The goal I'm trying to achieve is that a logged in user can only download the files attached to his own pages ($user->id == $page->created_users_id). Logged in users are creating pages with uploads in the frontend (api). I made a role for logged in users, but than they can still download each others files.

I think I need a hook somewhere so that not only the role is checked but also the created_users_id.
Is that the way to go? And to which function should I apply the hook?

[Robin S]

11 hours ago, douwe said:

The goal I'm trying to achieve is that a logged in user can only download the files attached to his own pages ($user->id == $page->created_users_id).

You'll need to use a hook for this rather than the access settings in the template. Give the role view and edit access in the template settings and add the following in /site/init.php

$wire->addHookAfter('Page::viewable, Page::editable', function(HookEvent $event) {
	$page = $event->object;
	$user = $event->wire()->user;
	// Only for non-superusers, for a specific template
	if($user->isSuperuser() || $page->template != 'restrict_files') return; // Adjust to suit your template name
	// User may only view or edit page if they created it
	$event->return = $page->created_users_id === $user->id;
});

 

[douwe]

Yes!! Thank you, that's exactly what I need. 
I can also leave away the userid/created_users_id check that I had in my template php-file. The hook is also providing for that.
Thanks again for this very educating reply (for me at least).