Is there a way to allow access to assets folder only through Silverstripe?
Here is an example:
I have an audio file in a sub folder to assets. I have the mp3 player playing the song in an audio page. The page shows the source as http://mysite/Uploads/Music/song.mp3. When you go to the url, then the browser prompts to open or save. How do I keep this being viewable but still allow SS to do what it needs to do?
I would be interested to know if this is possible as well. I can see why it would be disabled by default, as I imagine it could cause server load to increase quite a bit.
I guess you could implement this functionality yourself, if you just create a new controller then add some new rules to director that would route all URL's that use "assets" to use your new controller.
Once in there I guess you could get Silverstripe to return the file, based on the URL, only if the user has permission (IP, Logged in, Whatever).
Don't ask me to write any code though, i have enough to do (sorry) :).
I think there is more to it than that. I think you would have to create a user, give that user permission to read/write.execute to the folder, then some how, make SS that user. So that the only way to access the folder is as that user through SS.
Once you had that, then it is pure code. So the first question is, how do you make SS a user so they only SS can access the folder? Rather than the user logged in, SS security would then kick in.
I wouldn't ask anyone to write special code, but thank you for considering it. :-)
Well I think that depends what your server config is?
If its apache, I use http://mpm-itk.sesse.net/ to achieve this. If it is IIS, then you need to configure what user account IIS uses for that SS install. By default I believe it is something like "IIS_USR".
Technically, if you add your rules to Director, then traffic will not be able to access the assets folder through a web browser, as the request will be picked up by SS. I suppose it doesn't hurt to be safe though :).
One other thing, you would also need to remove the reference in your .htaccess file that disables URL rewriting for files with a suffix like .gif or .jpg.
have you looked at the secure files module? http://www.silverstripe.org/secure-files/
It stops assets downloads without a login but I don't think it solves the problem of allowing a file to be viewed on a SS page but not through a direct URL.