Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

We're retiring the forums!

The SilverStripe forums have passed their heyday. They'll stick around, but will be read only. We'd encourage you to get involved in the community via the following channels instead:

All other Modules /

Discuss all other Modules here.

Moderators: martimiz, Sean, Ed, biapar, Willr, Ingo, swaiba

member with access to securefiles cant access secure file

Go to End

5 Posts   1533 Views


Community Member, 103 Posts

26 May 2010 at 3:47am

Hi all,

I installed the secure files module, have uncommented the "security by member group" line in the module's _config.php, rebuilt the database... all the normal steps. I created a group and assigned 2 users to the group.

Both in the Security section of the CMS and the security tab for my secured folder, I have assigned the group access to secured files. The files in the secured folder are uploaded through a form by any visitor to the site, which then sends an email to the 2 members of the group previously mentioned with a link to download the file. Clicking the link takes you to the login form with a message that says, "not authorized," which seems right to me, but once you login as a member of the group the file still cannot be downloaded. If I un check the "folder is secure" box, the file downloads no problem.

Any reason I cannot access a secured file this way?



Community Member, 712 Posts

31 May 2010 at 9:03am

Hi there,

Which versions of Secure Files and SilverStripe are you using?

Only thing I can ask at the moment is, are you sure the member is in the group with secure access? Adding a user to a group with "secure file access" should bypass all the other checks, so they definitely should have access. Being in a group that has access to a particular folder is more complex, but it should be overridden by that setting anyway.

Please double check the user is logged in, is in the correct group and the file is in the correct place.


Community Member, 103 Posts

2 June 2010 at 8:33am


I am using silverstripe 2.4 with Secure Files v0.3. I have attached a few screenshots that show all the permissions and group membership to this post. Screenshot 5 occurs when you attempt to reach the file without being logged in... after logging in you get screenshot #6. If the folder is not secured, it will download as it should. If you login in advance and then visit the exact url you also get screenshot 6.


Attached Files

Community Member, 712 Posts

2 June 2010 at 10:05am

Thanks for the screenshots. Yeah, you've clearly got it set up correctly.

Could to post the htaccess file that should have been created in the ForFab folder? Also the relevant _config.php file for SecureFiles.

If they're normal, you might need to debug the process that grants permission to see if there is something awry.


Community Member, 103 Posts

3 June 2010 at 12:19am

Here is the .htaccess:

<IfModule xsendfile_module>
XSendFile on 
RemoveHandler .php .phtml .php3 .php4 .php5 .inc 
RemoveType .php .phtml .php3 .php4 .php5 .inc 
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} ^(.*)$
RewriteRule (.*) sapphire/main.php?url=%1&%{QUERY_STRING} [L]

and here is the _config.php

 * Secure Files Module Configuration
 * @package securefiles
 * @author Hamish Campbell 
 * @copyright copyright (c) 2010, Hamish Campbell

Director::addRules(50, array(ASSETS_DIR . '/$Action' => 'SecureFileController'));
// -------------------------------

 *  Apply optional permission methods here. Include them in the reverse
 *  order that you would like them to appear in the CMS.

// Assign file security by individual member:
// DataObject::add_extension('File', 'SecureFileMemberPermissionDecorator');

// Assign file security by member group:
 DataObject::add_extension('File', 'SecureFileGroupPermissionDecorator');

// Create time-limited access tokens:
// DataObject::add_extension('File', 'SecureFileTokenPermissionDecorator');

// -------------------------------
DataObject::add_extension('File', 'SecureFileDecorator');

 * For large files or heavily trafficed sites use x-sendfile headers to by-pass
 * file handling in PHP. Supported in lighttpd and in Apache with mod_xsendfile
 * available at
// SecureFileController::use_x_sendfile_method();

 * For testing or debug purposes, you can force this module to use the internal
 * Sapphire send file method. Not recommended for production sites.
// SecureFileController::use_ss_sendfile_method();