Jump to content
douwe

Prevent direct access to file assets

Recommended Posts

Hi,

I'm a happy new user of Processwire. I would like to use the new template setting 'prevent direct access to file assets'.

So I upgraded to the newest dev version 3.0.168. For a template I select the option 'Yes always, regardless of page status or access control'. In the file system is see that al the pagid's for pages with this template are being prefixed with a hyphen, f.e. ../assets/files/-1030/..
And when I try to load http://localhost:8080/site/assets/files/-1030/test.pdf i get a forbidden error, so that seems ok.

But... when I try to access the page without the hyphen (http://localhost:8080/site/assets/files/1030/test.pdf) the file is still being downloaded?!
I also tried setting $config->pagefileSecure = true and creating a new page with a file, but that doesn't work either.

Is there any other setting I should apply to prevent direct access?

Kind regards, Douwe.

Share this post


Link to post
Share on other sites
23 minutes ago, douwe said:

I'm a happy new user of Processwire.

Hi @douwe,

Welcome to ProcessWire and the forums.

24 minutes ago, douwe said:

But... when I try to access the page without the hyphen (http://localhost:8080/site/assets/files/1030/test.pdf) the file is still being downloaded?!
I also tried setting $config->pagefileSecure = true and creating a new page with a file, but that doesn't work either.

Was this page created before or after you enabled $config->pagefileSecure? pagefileSecure only works for pages you created after you enabled it. I am not 100% sure the same constraint applies in the case of template-level secure files.

Share this post


Link to post
Share on other sites

Hi @kongondo,

Thanks for the quick reply.

New page (+files) is created after enabling $config->pagefileSecure. 
I create the page on the frontend with the api, but i also tried creating a new page in the backend.
Both have the same result:
Access with hyphen triggers a forbidden error.
Access without hyphen does download the file even if 'm not logged in.

 

 

 

 

Share this post


Link to post
Share on other sites
17 hours ago, douwe said:

Access without hyphen does download the file even if 'm not logged in.

OK. I'll see if I can replicate this on a new install.

Share this post


Link to post
Share on other sites
19 hours ago, douwe said:

But... when I try to access the page without the hyphen (http://localhost:8080/site/assets/files/1030/test.pdf) the file is still being downloaded?!

Are you testing this as a non-logged-in user, e.g. in an incognito window? The superuser is never restricted so if you are testing as a superuser then PW is going to serve you the file no matter what.

19 hours ago, douwe said:

And when I try to load http://localhost:8080/site/assets/files/-1030/test.pdf i get a forbidden error, so that seems ok.

Don't include the hyphen in the URL. The correct URL in this case would be http://localhost:8080/site/assets/files/1030/test.pdf. The point is that direct access to the file at its actual location is forbidden, and instead PHP will grant or block access to the file depending on if the user is allowed.

Share this post


Link to post
Share on other sites
18 hours ago, douwe said:

Access without hyphen does download the file even if 'm not logged in.

Tested and it works fine. As Robin S suggested above, you are probably logged in. Try in a different browser or in incognito.

Share this post


Link to post
Share on other sites
28 minutes ago, Robin S said:

Are you testing this as a non-logged-in user, e.g. in an incognito window?

That seems to be the case... 

18 hours ago, douwe said:

Access without hyphen does download the file even if 'm not logged in.

 

Edited by kongondo

Share this post


Link to post
Share on other sites
54 minutes ago, kongondo said:

That seems to be the case...

Oh, right. Then the other thing to check is that the guest role does not have view access for the template. The notes for the "Prevent direct access to file assets" setting explain that this option means that files have the same access as the page that owns them.

2020-11-24_195407.png.0bdde0c45c84bcbc57ac0d448e423bc4.png

So if you want to deny file access to guests (or any other role besides superuser) then you must deny view access to the template for that role. 

2020-11-24_195824.png.ab42fd324704498fcba03b9793d03480.png

Share this post


Link to post
Share on other sites

Thank you for helping me @kongondo and @Robin S.
Disabling the 'view pages' role does prevent accessing the files. A 404-page shows up, but the user can't create a new page either.

The goal I'm trying to achieve is that a logged in user can only download the files attached to his own pages ($user->id == $page->created_users_id). Logged in users are creating pages with uploads in the frontend (api). I made a role for logged in users, but than they can still download each others files.

I think I need a hook somewhere so that not only the role is checked but also the created_users_id.
Is that the way to go? And to which function should I apply the hook?

Share this post


Link to post
Share on other sites
11 hours ago, douwe said:

The goal I'm trying to achieve is that a logged in user can only download the files attached to his own pages ($user->id == $page->created_users_id).

You'll need to use a hook for this rather than the access settings in the template. Give the role view and edit access in the template settings and add the following in /site/init.php

$wire->addHookAfter('Page::viewable, Page::editable', function(HookEvent $event) {
	$page = $event->object;
	$user = $event->wire()->user;
	// Only for non-superusers, for a specific template
	if($user->isSuperuser() || $page->template != 'restrict_files') return; // Adjust to suit your template name
	// User may only view or edit page if they created it
	$event->return = $page->created_users_id === $user->id;
});

 

  • Thanks 1

Share this post


Link to post
Share on other sites

Yes!! Thank you, that's exactly what I need. 
I can also leave away the userid/created_users_id check that I had in my template php-file. The hook is also providing for that.
Thanks again for this very educating reply (for me at least).

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...