Jump to content

Restricting file access to logged-in users


Recommended Posts

We have an internal company site that we use to document specifications for software development. Currently, we use Adrian's ProtectedMode module to restrict the site to logged-in users, but one of the engineers just noted that uploaded files are (naturally, given the scope of the module) visible without authentication. While this isn't a huge risk (you have to know the URL to view an uploaded file), it is technically a security issue since we have lots of proprietary things attached to pages on the site.

Any ideas on how I could lock down these files so you have to be logged in to view them? 

Link to comment
Share on other sites

Thanks Adrian! (And thanks for the ProtectedMode module, too.) I just used the config settings referenced in a couple of those threads:

$config->pagefileSecure = true;
$config->pagefileSecurePathPrefix = '-';

And made sure the "guest" permission was disabled for the templates that have image attachments. For some reason, it seems to have taken about an hour to propagate (some links were still showing up unauthenticated), but everything appears to be locked down now.

  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...