I did a similar thing with Contao. Firstly I locked the folder in the file manager which prevents any direct access to it's contents.
I then had a module that that accepted the ID of the file, fetched it's location and content type from the database then sent it to the browser using:
Code:
// Fetch $objFile from the database based on it's ID
// Get the path to the file
$file = TL_ROOT . '/' . $objFile->file_path;
// Get the filename
$file_name = basename($file);
if($userHasPermission){
// Send file to browser
header("Content-Type: " . $objFile->content_type);
header("Content-Disposition: attachment; filename=$file_name");
header("Content-Length: " . filesize($file));
readfile($file);
exit();
}
This will trigger the file to start downloading.
Before you ouput the file to browser you can do any checks you need, e.g making sure the user is in the right member group.
I did this in Contao 2.11, so at the time I had to create my own database table that kept track of files and their location on the server. It looks to me like Contao 3 doesn't capture the file's content type, which is needed to output it directly to the browser so maybe you'd need to look at how you could get that file info.
I'll think you'll also find that Isotope e-commerce uses the same approach for giving access to downloadable products too.
Bookmarks