Jump to content

Prevent direct access to file assets


douwe
 Share

Recommended Posts

Hi,

I'm a happy new user of Processwire. I would like to use the new template setting 'prevent direct access to file assets'.

So I upgraded to the newest dev version 3.0.168. For a template I select the option 'Yes always, regardless of page status or access control'. In the file system is see that al the pagid's for pages with this template are being prefixed with a hyphen, f.e. ../assets/files/-1030/..
And when I try to load http://localhost:8080/site/assets/files/-1030/test.pdf i get a forbidden error, so that seems ok.

But... when I try to access the page without the hyphen (http://localhost:8080/site/assets/files/1030/test.pdf) the file is still being downloaded?!
I also tried setting $config->pagefileSecure = true and creating a new page with a file, but that doesn't work either.

Is there any other setting I should apply to prevent direct access?

Kind regards, Douwe.

Link to comment
Share on other sites

23 minutes ago, douwe said:

I'm a happy new user of Processwire.

Hi @douwe,

Welcome to ProcessWire and the forums.

24 minutes ago, douwe said:

But... when I try to access the page without the hyphen (http://localhost:8080/site/assets/files/1030/test.pdf) the file is still being downloaded?!
I also tried setting $config->pagefileSecure = true and creating a new page with a file, but that doesn't work either.

Was this page created before or after you enabled $config->pagefileSecure? pagefileSecure only works for pages you created after you enabled it. I am not 100% sure the same constraint applies in the case of template-level secure files.

Link to comment
Share on other sites

Hi @kongondo,

Thanks for the quick reply.

New page (+files) is created after enabling $config->pagefileSecure. 
I create the page on the frontend with the api, but i also tried creating a new page in the backend.
Both have the same result:
Access with hyphen triggers a forbidden error.
Access without hyphen does download the file even if 'm not logged in.

 

 

 

 

Link to comment
Share on other sites

19 hours ago, douwe said:

But... when I try to access the page without the hyphen (http://localhost:8080/site/assets/files/1030/test.pdf) the file is still being downloaded?!

Are you testing this as a non-logged-in user, e.g. in an incognito window? The superuser is never restricted so if you are testing as a superuser then PW is going to serve you the file no matter what.

19 hours ago, douwe said:

And when I try to load http://localhost:8080/site/assets/files/-1030/test.pdf i get a forbidden error, so that seems ok.

Don't include the hyphen in the URL. The correct URL in this case would be http://localhost:8080/site/assets/files/1030/test.pdf. The point is that direct access to the file at its actual location is forbidden, and instead PHP will grant or block access to the file depending on if the user is allowed.

Link to comment
Share on other sites

28 minutes ago, Robin S said:

Are you testing this as a non-logged-in user, e.g. in an incognito window?

That seems to be the case... 

18 hours ago, douwe said:

Access without hyphen does download the file even if 'm not logged in.

 

Edited by kongondo
Link to comment
Share on other sites

54 minutes ago, kongondo said:

That seems to be the case...

Oh, right. Then the other thing to check is that the guest role does not have view access for the template. The notes for the "Prevent direct access to file assets" setting explain that this option means that files have the same access as the page that owns them.

2020-11-24_195407.png.0bdde0c45c84bcbc57ac0d448e423bc4.png

So if you want to deny file access to guests (or any other role besides superuser) then you must deny view access to the template for that role. 

2020-11-24_195824.png.ab42fd324704498fcba03b9793d03480.png

Link to comment
Share on other sites

Thank you for helping me @kongondo and @Robin S.
Disabling the 'view pages' role does prevent accessing the files. A 404-page shows up, but the user can't create a new page either.

The goal I'm trying to achieve is that a logged in user can only download the files attached to his own pages ($user->id == $page->created_users_id). Logged in users are creating pages with uploads in the frontend (api). I made a role for logged in users, but than they can still download each others files.

I think I need a hook somewhere so that not only the role is checked but also the created_users_id.
Is that the way to go? And to which function should I apply the hook?

Link to comment
Share on other sites

11 hours ago, douwe said:

The goal I'm trying to achieve is that a logged in user can only download the files attached to his own pages ($user->id == $page->created_users_id).

You'll need to use a hook for this rather than the access settings in the template. Give the role view and edit access in the template settings and add the following in /site/init.php

$wire->addHookAfter('Page::viewable, Page::editable', function(HookEvent $event) {
	$page = $event->object;
	$user = $event->wire()->user;
	// Only for non-superusers, for a specific template
	if($user->isSuperuser() || $page->template != 'restrict_files') return; // Adjust to suit your template name
	// User may only view or edit page if they created it
	$event->return = $page->created_users_id === $user->id;
});

 

  • Thanks 1
Link to comment
Share on other sites

Yes!! Thank you, that's exactly what I need. 
I can also leave away the userid/created_users_id check that I had in my template php-file. The hook is also providing for that.
Thanks again for this very educating reply (for me at least).

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...