Advanced file protection

[Ruud]

I would like to be able to set access rights for each file, so only a certain member can access a certain file/folder. The purpose is to create a customer website where customers can download their logo's and other customer specific files.

I think it is easier to protect files in Contao 3 now the database aided fs is added. But since all files are somewhere on the file server access is still possible if people have a direct link. I could possibly deny direct file request by preventing hotlinking. But could I also deny customers looking up other customers files? (For example change the html of the current page, adding a link to another customers file and guessing the correct filename. This last thing would be easy since we name files according to type and customer name.)

My problem would be that there are ways to access other customers files for customers or others and I'd like to prevent that. Where would we best start and perhaps would this even be a good idea to try and add to Contao core?

There is an extension I haven't tried yet, but it is for Contao 2.9: http://contao.org/extension-list/view/t ... 10013.html

There was an earlier topic about this without a solution: viewtopic.php?f=6&t=3915

[Ruud]

Made a feature request out of what I think is the solution. Rewrite file requests for protected folders to a php file that processes permissions and returns the file if permission granted.

https://github.com/contao/core/issues/5514

[punkstjimmy]

I did a similar thing with Contao. Firstly I locked the folder in the file manager which prevents any direct access to it's contents.

I then had a module that that accepted the ID of the file, fetched it's location and content type from the database then sent it to the browser using:

Code:

    
// Fetch $objFile from the database based on it's ID   

      // Get the path to the file
		$file = TL_ROOT . '/' . $objFile->file_path;

		// Get the filename
		$file_name = basename($file);  

      if($userHasPermission){
	    
             // Send file to browser
             header("Content-Type: " . $objFile->content_type);
    	      header("Content-Disposition: attachment; filename=$file_name");
    	      header("Content-Length: " . filesize($file));

    	      readfile($file);
    	      exit();
      }

This will trigger the file to start downloading.

Before you ouput the file to browser you can do any checks you need, e.g making sure the user is in the right member group.

I did this in Contao 2.11, so at the time I had to create my own database table that kept track of files and their location on the server. It looks to me like Contao 3 doesn't capture the file's content type, which is needed to output it directly to the browser so maybe you'd need to look at how you could get that file info.

I'll think you'll also find that Isotope e-commerce uses the same approach for giving access to downloadable products too.

[Ruud]

Thanks, I guess that is about the best way to do it. I would like an .htaccess that automatically redirects to the script which checks permissions. Then it may work for Contao 2 and 3. Filetypes would usually conform to the extension. I which Leo would add it to the core, if only because it would make Contao that more awesome. But it is really useful too!