Strange 403 Forbidden calling the assets/files folder

[Luis]

Howdie folks,

i´m setting up a multisite with global module and global template folder. 

Most of the page render depends on $input->get, templates are delegated via 

<?php if($page->template){$t = new TemplateFile($config->paths->templates . "views/view_{$page->route}.php");} echo $t->render(); ?>

Template delegation happens in a controller.php named file on which this piece of code:

<img src="<?= $user->userimage->url ?>" class="img-circle" />

returns the 403 Forbidden, but only if i´m on the homepage and no other page data is called based on a get variable. 

Short overview regarding the multisite setup:

Index.php in root:

$siteDir = 'clientspaces/site-admin';

  $config = new Config();
  $config->urls = new Paths($rootURL);
  $config->urls->wire = "$wireDir/";
  $config->urls->site = "$siteDir/";
  $config->urls->modules = "$wireDir/modules/";
  $config->urls->siteModules = "modules/";
  $config->urls->core = "$coreDir/";
  $config->urls->assets = "$assetsDir/";
  $config->urls->cache = "$assetsDir/cache/";
  $config->urls->logs = "$assetsDir/logs/";
  $config->urls->files = "$assetsDir/files/";
  $config->urls->tmp = "$assetsDir/tmp/";
  $config->urls->templates = "application/";
  $config->urls->adminTemplates = is_dir("$siteDir/$adminTplDir") ? "$siteDir/$adminTplDir/" : "$wireDir/$adminTplDir/";
  $config->paths = clone $config->urls;
  $config->paths->root = $rootPath . '/';
  $config->paths->sessions = $config->paths->assets . "sessions/";

index.config.php:

function ProcessWireHostSiteConfig() {

        return array(
                 'foo.example.de' => 'clientspaces/foo',

                  '*' => 'clientspaces/site-admin',

                );

}

I started with deleting all restrictions in .htacces, but this wasnt a success.

EDIT: 

Creating the url by hand will serve the file, but without the abillity to access the imageClass methods

<img src="<?= $config->urls->assets ?>files/<?= $user->id ?>/<?= $user->userimage ?>" />

[Luis]

Ok, this is the request made by $image->url 

41/
/projectplaner/clientspaces/site-admin/assets/files
GET
403
Forbidden

and this is the request made by <?= $config->urls->files . $user->id ?>/<?= $user->userimage ?>

koala.jpg
/projectplaner/clientspaces/site-admin/assets/files/41
GET
304
Not Modified

Does PW just try to get the folder by accident, or is this request blocked directly on the folder?

[Luis]

After playing Sherlock Holmes again, the riddle grows.

I placed <?= $user->userimage->url ?> in various places inside my controller.php to find out under which circumstances the url method grabs the appropiate image file.

After placing it right before the closing body tag, it gives me the right file. Now I figured out that after doing this right before:

<?php foreach($users as $member): ?>
  <?php if($member->hasRole('projectmanager')): ?>
    <option value="<?= $member->id  ?>"><?= $member->membername ?></option>
  <?php endif ?>
<?php endforeach ?>

the $user->userimage is present. 

[Pete]

Are you iterating through users or something and echoing $user->something?

Just wondering because $user by default returns data for the user viewing the page.

If that's the case you want to do something like your last post and do forearm $users as $member and Echo $member->userimage

Of course I've probably completely misunderstood

[Luis]

The next bit found. 

After calling a page, a script on top checks if the $user is allowed to do this or that action like so:

if(!$project->staff->has($user)){
    header('Location: '.$pages->get(1)->url);
    die();
  }

and now $user->userimage->url is available.

@pete: no i`m not iterating through my users  

I just want to access the userimage from this user, who is actually accessing the page. 

So, You are looking into your profile and you get your userimage. 

[Pete]

Did you see my post straight before yours?

[Luis]

just tried to ninja edit before u noticed my post

my little workaround so far:

$user = $users->get($user->id);

on top

[Martijn Geerts]

Beware of that code Luis,  You're overwriting the $user variable.

( could have some side efffects, but didn't read all the posts well enough)

[Luis]

Yeah you´re right, but I think the risk is minimal, i´m just replacing the $user with an returned $user from $users->get. So the new $user should have all the same methods and properties. 

So $user === $user. Correct me if I´m wrong

[Martijn Geerts]

I'm sorry I don't see the full picture (that probably just me). But seeing you overwrite the $user variable rings some alarms on my side.

[Pete]

$user by default is always the user viewing the page. You should never overwrite that for stuff like this - instead use something like $myuser = $users->get(... and then you won't cross-contaminate your $user variables.

I marked your workaround as "unsolved" purely because it's unwise and not an ideal solution - please don't be offended but we don't want people using this as a solution.

[Luis]

please don't be offended

I don´t