Down-/Uploads on a "per user" policy

[Eltom]

Hi there,

Is there a way to upload files (e.g. ZIP-files) via a File-field for only a given user?

I need a way to upload files only for a given user.

Thanks in advance,

Thomas

[Wanze]

You can extend the user template with an files field, then each user can hold multiple files.

Under Setup > Templates > Filter > Show system templates => yes.

Now you can select the user template and add custom fields e.g. a files field

[Eltom]

Yes, I do know that, but if I know the path to a Document of an another user, the Doc is downloaded, regardless of the user. I have to avoid this scenario.

Regards,

Thomas

[Soma]

You could use the config options for page secure files...

$config->pagefileSecure = true;
$config->pagefileSecurePathPrefix = '-';

and make unpublished pages and their files will not be accessible via url.

So you could create child pages under the users page with a file field, and leave those pages unpublished. The assets directory will be prefixed with "-" which is restricted by htaccess.

But then you can use a passthru script  to send the file to the user if certain requirements are given using wireSendFile();

So for example construct the download link to the file like this on a page the user can see.

<a href="/download.php?user=1007&file=filename.pdf">Download file</a>

and in download.php with something like this for the passthru and user check

// bootstrap PW
include("./index.php");

// make sure user is logged in
if(wire("user")->isLoggedin()){
    $file = $_GET['file'];
    $userid = $_GET['user'];
    $userpage = wire("pages")->get(wire("user")->id);
    if($userpage->id != $userid) die("no access"); // make sure it's the user
    if($filepage = $userpage->child("include=all")){ // since page is unpublished we add include all
        // get the file from the page
        $filename = $filepage->images->get($file)->filename;
        if(!$filename) die("download not found");
        // send file to browser
        wireSendFile($filename, array('exit' => true));
    } else {
        die("no user page found");
    }
} else {
    wire("session")->redirect("/somepage/");
}

[Eltom]

Great Idea! Thank you, Soma!

[ryan]

Soma, is it necessary to pass the $userid in the URL since you'd already know the user from the wire('user')?

[Darrin Hert]

Soma's process worked great for our needs!

Made a couple of modifications to meet our requirements: we are protecting content based on invoice lookup from Unity3D.com. Once the authorization has been achieved it is stored in a session var. We also created a field in our invoice-protected page template for entering the pageID of the UNpublished page holding the download files.

The only thing that needs to be passed to the passthru script at this point is the filename. The Unpublished pageID and the user's authentication status are "passed" to the passthru script via session variables -- keeping auth and page location behind the scenes. The passthru script checks for authentication via the session var and looks up the file on the page using the pageID session var. If the file is not found, we redirect to an unlisted page with information on what the user should do.

Thanks a bunch Soma!!!