Proctecting files from non-logged-in Users

[itsberni]

Hey pw-guys,

i´ve just began to work with pw. a very nice cms. thanks to ryan for that great work!

i want to realize a one page-layout.

All works fine, but there are particular sections ( PDF-files ), that should only be accessable after login into the page as a user ( to offer some downloads ).

Also that works fine, but after the user has logged out, the files are still available via url.

Because of different fields the single sections from the page are each realized with a separate template. That means the data from section1 cames from template section1 and so on.

do you have any ideas, how to fix this?

The settings in the config.php are

$config->pagefileSecure = true;

$config->pagefileSecurePathPrefix = '-‚;

I would be grateful for any tipps.

Greetz Bernd

[arjen]

Are the directories in /site/assests/files/ prefixed with an "-" (i.e. /site/assests/files/-123/test.pdf)? I believe by default directories with a "-" are disabled by the .htaccess. Also be sure to test in Incognito mode.

[itsberni]

Hey,

right - the folders are prefixed with a "-" and the htaccess has got this entry: RewriteRule "(^|/)\." - [F]

After the user has logged out, the folders can be still achieved without the prefix ( link to the file: ..../site/assests/files/123/test.pdf ) neither when i delete and upload the file over the backend once again.
I´m really confused at that point...

 

[arjen]

Strange, may be a bug? What version and branch are you running?

[Soma]

Works everything as it should. I can access (when logged in) or can't access (once I log out) the file.

But after trying around I found a strange behavior with when removing guest view access for the page. At first it works as it should.

Then I unpublish the page, and it isn't accessible anymore (as expected)

Then I publish the page, and only then me as the superuser can't access the file anymore but I should be able to.

Once I give guest role view access to page again and start again, it is the same procedure.

[itsberni]

Hey arjen,
I've downloaded the 2.3.1 directly from the processwire-homepage.

@Soma,

This issue i cannot reproduce. My /-folder is going to rewrite by the .htaccess into /folder and that /folder can be reached by link/url, no matter wheater you´re logged in as a user or not.

[itsberni]

i wanna pick up this issue once again. I found out, that pw removes the prefix /-folder. So after a refresh /-folder becomes /folder again. Is this helpful to solve the problem?

[arjen]

Have you tried switchting to the dev version/branch? You can download it on the github page. You also might want to share your complete setup. Especially on the "Access" tabs of your template.

[itsberni]

hey arjen,

ok, now i've changed into the master branch. Same issue. In the used template there is no authorisation defined ( manage authorisation = no ).

I'am a bit confused about the rewrite-rule in the .htaccess -> "Access Restrictions: Keep web users out of dirs that begin with a period".
But i should have to rename the dirs in /-folder not in /.folder ?!? ( or it's too late right now ).

Btw. after the change to the master-branch the folders are still going to rename automaticly from /-folder into /folder. but - that i find out now - only after an access occurs to a file in this particular folder.

[arjen]

I believe when enabling pagefileSecure ProcessWire puts the pagefileSecurePathPrefix (default = "-") automatically in the folders when:

- A page with the files field is unpublished

- A page with the files field has a template to which the guest role is disabled

Just checked this with a fresh install. I also followed soma's steps, but I can't seem to reproduce.

[itsberni]

Great!

Exactly that was the problem. Now the access is denied, when i've been locked out - nearly perfect.

But now, when i'am locked in, the pdf-files are only accessible via download. That means they do not open in the browser-window ( no file-url is visible in the browser-line ). Is this a normal behaviour?

Before the permission-issue, the files opened in the browser (  file-url was visible in the browser-line ).

Anyway, i'm very grateful for putting me on the right way!

Thanks guys!

[ryan]

When the file is protected, it's getting delivered by ProcessWire rather than Apache. ProcessWire doesn't know about all the different possibilities for file mime types, so it defaults to sending it as a binary download. Meaning, your browser should save it rather than display it. Though my browser still seems to recognize and display PDFs regardless, so the behavior may vary depending on the client side. 

[Soma]

Ryan, what about the behavior I'm getting that breaks the file protect system? Above post mine.

I'll file an issue on github.

[ryan]

Soma I'll take a look a closer look at the issue and respond via GitHub soon. 

[itsberni]

Obviously there is still a problem with the file permission.

When i'm integrating a file-field as an array ( maximum files allowed = 0 ) the files can be accessed when a used has logged in. Everthing works fine!

But now i've integrated a second file-upload ( as part of a repeater field ) in the same template. this field is adjusted as a single field file ( maximum files allowed = 1 ).

The problem is now, that the permissions to this files are denied although the user is logged in.

That means, the files from the array ( case one ) are available - the files as part of the repeater field are denied.

Is there anything to consider, when using a file-field within a repeater in a secured template?

EDIT:
When i'm logged in as a superuser, all files can be accessed.

Any Ideas?

[itsberni]

Ryan/ Soma did you already find a solution or an approach for this issue?

[ryan]

I wasn't able to duplicate the issue that Soma mentioned, despite repeated attempts here. As far as an issue with files in repeaters, I think it's possible there is an issue there, but haven't had time to test that one out yet. I've added a GitHub issue report for that so that I can test that one out during the next debugging phase (aka early Sunday morning). 

[itsberni]

Thanks Ryan for your reply. Let me know, if i can help you testing.

[itsberni]

Hey guys,

is there something new in this case?

[itsberni]

a thought about this issue...
my page is organized as a onepage-website. that means every "site" in PW is a section in the website. the permissions, what a logged-in user  is supposed to see, is handled in the template-settings of the concerned template. so also in the section, that carries the repeater.

my website-structure
<html>
     <head>
     </head>
     <body>
          include section1
          include section2
          include section3
          include section4
          include section5
          include footer
     </body>
</html>

my file-section ( works for a logged-in User - files can be downloaded )
<section3>
     <filePart> // foreach
          echo $someContentforEveryone;
          if($user->id && $user->isLoggedin()) {
               echo $someContentforSpecialUsers;
          }
     </filePart> // endOfForeach
</section3> 

my repeater-section ( doesn´t work for a logged-in User - files can´t be downloaded - the redirect, setted in the template will be ignored - a 404 is thrown)
<section3>
     <repeaterPart> // foreach
          echo $someContentforEveryone;
          if($user->id && $user->isLoggedin()) {
               echo $someContentforSpecialUsers;
          }
     </repeaterPart> // endOfForeach
</section3>

In the pageFilesManager.php i could find the function _path and this part:

if($page->isPublic() || !$config->pagefileSecure) {
               // use the public path, renaming a secure path to public if it exists
               if(is_dir($securePath) && !is_dir($publicPath)) {
                    @rename($securePath, $publicPath);
               }
               return $publicPath;

is it possible, that the problem is caused because there is no check, what kind of user ( or user role ) has logged in?

[Krlos]

I think I have the same problem.

I'm working in simple Intranet with user profiles. I'm using the System User template to add my custom fields. I have like 10 custom fields and 1 image field holding a profile image.

I have enabled $config->pagefileSecure = true in my config.php file

I have created a new template file called profile.php to use it in the front end for users to see her/his profile information including the profile photo.

Processwire has created for every user a folder with a '-' in front of the folder.

When I access the profile template in the front end using the superuser I can see my image profile.

When I switch to an other user profile not superuser and visit the profile page I don't see the profile image.

Inspecting the source code for the page the output for:

<?= $user->profile_foto->first()->url; ?>

is

http://intranetms.cl:8888/site/assets/files/1131/julie-paredes-perfil.jpg

Without the '-' in front of the folder name.

Still logued in the profile page I copy and paste the JPG path in the Browser address and Chrome start to output gibberish.

I'm using ProcessWire 3.0.98

 

Is this still a bug?

 

[Krlos]

On 1/9/2014 at 7:51 AM, Soma said:

Works everything as it should. I can access (when logged in) or can't access (once I log out) the file.

But after trying around I found a strange behavior with when removing guest view access for the page. At first it works as it should.

Then I unpublish the page, and it isn't accessible anymore (as expected)

Then I publish the page, and only then me as the superuser can't access the file anymore but I should be able to.

Once I give guest role view access to page again and start again, it is the same procedure.

Further investigation and I think I'm having the same problem. When I add the guest role it works as it shoud, If remove the guest Role the images are not viewable even so the path is correct.

[netcarver]

@Krlos

If you come up with a set of steps that is reproducible, please open an issue on the processwire-issues repository reporting it.

Thank you!