Hi all,

I installed the secure files module, have uncommented the "security by member group" line in the module's _config.php, rebuilt the database... all the normal steps. I created a group and assigned 2 users to the group.

Both in the Security section of the CMS and the security tab for my secured folder, I have assigned the group access to secured files. The files in the secured folder are uploaded through a form by any visitor to the site, which then sends an email to the 2 members of the group previously mentioned with a link to download the file. Clicking the link takes you to the login form with a message that says, "not authorized," which seems right to me, but once you login as a member of the group the file still cannot be downloaded. If I un check the "folder is secure" box, the file downloads no problem.

Any reason I cannot access a secured file this way?

Thanks!

Hi there,

Which versions of Secure Files and SilverStripe are you using?

Only thing I can ask at the moment is, are you sure the member is in the group with secure access? Adding a user to a group with "secure file access" should bypass all the other checks, so they definitely should have access. Being in a group that has access to a particular folder is more complex, but it should be overridden by that setting anyway.

Please double check the user is logged in, is in the correct group and the file is in the correct place.

Hamish,

I am using silverstripe 2.4 with Secure Files v0.3. I have attached a few screenshots that show all the permissions and group membership to this post. Screenshot 5 occurs when you attempt to reach the file without being logged in... after logging in you get screenshot #6. If the folder is not secured, it will download as it should. If you login in advance and then visit the exact url you also get screenshot 6.

Thanks!

Thanks for the screenshots. Yeah, you've clearly got it set up correctly.

Could to post the htaccess file that should have been created in the ForFab folder? Also the relevant _config.php file for SecureFiles.

If they're normal, you might need to debug the process that grants permission to see if there is something awry.

Here is the .htaccess:

<IfModule xsendfile_module>
XSendFile on 
</IfModule>
RemoveHandler .php .phtml .php3 .php4 .php5 .inc 
RemoveType .php .phtml .php3 .php4 .php5 .inc 
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} ^(.*)$
RewriteRule (.*) sapphire/main.php?url=%1&%{QUERY_STRING} [L]

and here is the _config.php

<?php
/**
 * Secure Files Module Configuration
 *
 * @package securefiles
 * @author Hamish Campbell 
 * @copyright copyright (c) 2010, Hamish Campbell
 */

Director::addRules(50, array(ASSETS_DIR . '/$Action' => 'SecureFileController'));
AssetAdmin::require_css('securefiles/css/SecureFiles.css');
// -------------------------------

/**
 *  Apply optional permission methods here. Include them in the reverse
 *  order that you would like them to appear in the CMS.
 */

// Assign file security by individual member:
// DataObject::add_extension('File', 'SecureFileMemberPermissionDecorator');

// Assign file security by member group:
 DataObject::add_extension('File', 'SecureFileGroupPermissionDecorator');

// Create time-limited access tokens:
// DataObject::add_extension('File', 'SecureFileTokenPermissionDecorator');

// -------------------------------
DataObject::add_extension('File', 'SecureFileDecorator');

/**
 * For large files or heavily trafficed sites use x-sendfile headers to by-pass
 * file handling in PHP. Supported in lighttpd and in Apache with mod_xsendfile
 * available at http://tn123.ath.cx/mod_xsendfile/
 */
// SecureFileController::use_x_sendfile_method();

/**
 * For testing or debug purposes, you can force this module to use the internal
 * Sapphire send file method. Not recommended for production sites.
 */
// SecureFileController::use_ss_sendfile_method();