Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

General Questions /

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

[Solved]Protecting Files in Asset Folder


Reply


8 Posts   1856 Views

Avatar
davidm2010

Community Member, 107 Posts

23 March 2011 at 1:40am

Edited: 23/03/2011 1:41am

Is there a way to allow access to assets folder only through Silverstripe?

Here is an example:

I have an audio file in a sub folder to assets. I have the mp3 player playing the song in an audio page. The page shows the source as http://mysite/Uploads/Music/song.mp3. When you go to the url, then the browser prompts to open or save. How do I keep this being viewable but still allow SS to do what it needs to do?

DM

Avatar
Mo

Community Member, 514 Posts

23 March 2011 at 10:05am

I would be interested to know if this is possible as well. I can see why it would be disabled by default, as I imagine it could cause server load to increase quite a bit.

I guess you could implement this functionality yourself, if you just create a new controller then add some new rules to director that would route all URL's that use "assets" to use your new controller.

Once in there I guess you could get Silverstripe to return the file, based on the URL, only if the user has permission (IP, Logged in, Whatever).

Don't ask me to write any code though, i have enough to do (sorry) :).

Mo

Avatar
davidm2010

Community Member, 107 Posts

23 March 2011 at 12:31pm

I think there is more to it than that. I think you would have to create a user, give that user permission to read/write.execute to the folder, then some how, make SS that user. So that the only way to access the folder is as that user through SS.

Once you had that, then it is pure code. So the first question is, how do you make SS a user so they only SS can access the folder? Rather than the user logged in, SS security would then kick in.

I wouldn't ask anyone to write special code, but thank you for considering it. :-)

DM

Avatar
Mo

Community Member, 514 Posts

23 March 2011 at 12:46pm

Well I think that depends what your server config is?

If its apache, I use http://mpm-itk.sesse.net/ to achieve this. If it is IIS, then you need to configure what user account IIS uses for that SS install. By default I believe it is something like "IIS_USR".

Technically, if you add your rules to Director, then traffic will not be able to access the assets folder through a web browser, as the request will be picked up by SS. I suppose it doesn't hurt to be safe though :).

One other thing, you would also need to remove the reference in your .htaccess file that disables URL rewriting for files with a suffix like .gif or .jpg.

Hopefully that gives you some food for thought?

Mo

Avatar
Bruce B

Community Member, 147 Posts

23 March 2011 at 1:04pm

Guys,
have you looked at the secure files module?
http://www.silverstripe.org/secure-files/
It stops assets downloads without a login but I don't think it solves the problem of allowing a file to be viewed on a SS page but not through a direct URL.

Avatar
Mo

Community Member, 514 Posts

23 March 2011 at 1:23pm

Oooo, I haven't actually seen that before, I am definitely going to check that out :-).

Ta very much!

Avatar
davidm2010

Community Member, 107 Posts

23 March 2011 at 11:03pm

@Bruce B - Thank you. I had seen this module before. Sometimes until you have a problem, you don't understand the solution. I will test this out and see if this is what I am looking for.

DM

Avatar
davidm2010

Community Member, 107 Posts

24 March 2011 at 11:50am

Edited: 24/03/2011 11:52am

FYI - I have been working with this module and it is very promising. Anyone else needing this I recommend looking at this thread [url]http://www.silverstripe.org/general-questions/show/16293#post301011#post301011.[/url]