Jump to content

Storing files outside the document root


Recommended Posts

I can see there is a plugin that allows for you to store files outside the document root but it seems to be a while since it was updated and some users are reporting issues. I thought of a relatively simple way of doing this and wondered if anyone thought this approach was good — or if there was a better way.

I am thinking I have a Files field and then a proxy field (probably a Repeater) that stores the file path, file name, description, etc. When a page is saved the files from the files Field are copied outside the document root and the data is added as new Repeater items. The Files field is then cleared.

When proxy Repeater items are deleted the files are also deleted off the server. The user could also edit any additional fields on the repeater (i.e. meta data for the file); the path field though would not be editable.

Then on the front end I can access then via their repeater ID. E.g. /secure-files/1067/ Or maybe even have a name of the file as a URL segment: /secure-files/1067/document.pdf (if that is possible).

Would that work — or is there a simpler way?

One thing that I wondered about is if you upload a file and then don't save the page. What seems to happen is the system purges it but only when you edit that page again. This is not a big deal for this particular use case but thinking about sites that may be dealing in documents with personal information on I am wondering if there is any bulletproof method of ensuring there are never any sensitive files left in the public folder.

Thanks! 🙂

Link to comment
Share on other sites

I have implemented this today and it seems to work well. I am storing the files in a protected folder and when I copy them there I am assigning a unique 64-bit token which is referenced via a repeater. This saves me having to manage files with the same name with a numerical post-fix.

On the front-end I have a single secure-files template that uses URL segments to access the files.

E.g. /secure-files/68af96520c980c0a/test.jpg and /secure-files/68af96520c980c0a/test.jpg?dl=1 to download. (reads from /my-private-folder/68af96520c980c0a.jpg)

The only downsides are:

  1. If you upload a file and don't save it is technically in the public root (as mentioned above) and not deleted until the current page is accessed again
  2. You can’t view the files directly from the CMS as you can with standard Files/Images fields. Is there any field type that easily allows some arbitrary HTML based on current page field values so I could add links in?
Link to comment
Share on other sites

  • 1 month later...

It seems this is part of the ProcessWire core now so if you install 3.0.184 there is a template option:


If you look in the latest PW there is a new rule that blocks access to folders in site/assets that start with a hyphen. If you attempt to access the corresponding URL without the hyphen PW will do authentication checks. Direct access to the folder throws a Forbidden error.

If access is blocked to the file it 404s irrespective of the What to do when user attempts to view a page and has no access? setting.



  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...