Results 1 to 14 of 14

Thread: Contao 4.4: How to restrict files/images to logged in users

  1. #1
    New user
    Join Date
    10-31-11.
    Posts
    28

    Default Contao 4.4: How to restrict files/images to logged in users

    I can restrict pages to logged in users. However, any files or images on those pages can still be accessed directlyby non-logged in users.

    The "Public" option in the file manager doesn't seem to have any affect (what is it for?).

    I have seen some complex solutions using mod_rewrite that don't seem to work anymore for 4.4. I would prefer a solution simple enough to survive upgrades.

    Any suggestions?

    Thanks,

    Allen

  2. #2
    User Spooky's Avatar
    Join Date
    01-03-13.
    Posts
    339

    Default

    Quote Originally Posted by alien878 View Post
    I can restrict pages to logged in users. However, any files or images on those pages can still be accessed directlyby non-logged in users.
    Only those files in folders that are set to "public" can be reached from the outside.

    For other files you can use the Download(s) content element, which you can restrict to certain member groups (either directly in the element or indirectly via the page).

  3. #3
    New user
    Join Date
    10-31-11.
    Posts
    28

    Default

    Quote Originally Posted by Spooky View Post
    Only those files in folders that are set to "public" can be reached from the outside.

    For other files you can use the Download(s) content element, which you can restrict to certain member groups (either directly in the element or indirectly via the page).
    Actually, files in folders not marked public are still accessible with a direct link. Ex:

    https://www.webpage.de/files/protected/file.gif

    Where the files/protected directory does not have "Public" checked in the file manager. I think this only applies to the file manager.

    I was looking for some way to make our group's history pages (with pictures) private/members only to comply with new EU/German privacy laws. I think I will just have to take them down now. Kind of hard to take down 20 years of documented history though...

  4. #4
    User Spooky's Avatar
    Join Date
    01-03-13.
    Posts
    339

    Default

    Quote Originally Posted by alien878 View Post
    Actually, files in folders not marked public are still accessible with a direct link. Ex:

    https://www.webpage.de/files/protected/file.gif

    Where the files/protected directory does not have "Public" checked in the file manager. I think this only applies to the file manager.
    No, that should not be possible. Only folders that are marked as "Public" are accessible in the front end - because only those get a symlink to the actual files directory.

  5. #5
    New user
    Join Date
    10-31-11.
    Posts
    28

    Default

    Okay.... Maybe I've set something up incorrectly. Admittedly, this site has been using contao for several years and I am not 100% sure all of the upgrades set up the files directory correctly.

    In the web directory, there is a symlink to ../files.

    This directory is the "root" of the backend's "File Manager".

    In the File Manager, I have created a directory "protected" with Public unchecked. This appears in the files directory.

    I can still access files in this "non-public" file directory with a direct link. Ex.

    https://www.webpage.de/files/protected/file.gif

    According to https://docs.contao.org/books/cookbo...tructure.html:

    "files/ contains public files such as images, CSS, JavaScript, etc. It is available from the web/ folder through a symbolic link.", so it seems correct.
    Last edited by alien878; 05/23/2018 at 16:00.

  6. #6
    User Spooky's Avatar
    Join Date
    01-03-13.
    Posts
    339

    Default

    May be Contao is unable to delete the symlink (may be a permission issue?). Delete the symlink manually.

  7. #7
    New user
    Join Date
    10-31-11.
    Posts
    28

    Default

    I created the files link manually based on the documentation. The contao:install-web-dir deletes it and breaks every image on the webpage.

    So you are saying there shouldn't be a link to "files" in the web dir? I need one, but maybe that is because something went wrong when I upgraded from contao 3 to 4.

  8. #8
    User Spooky's Avatar
    Join Date
    01-03-13.
    Posts
    339

    Default

    Quote Originally Posted by alien878 View Post
    I created the files link manually based on the documentation.
    You should not do that. Where did you read that?


    Quote Originally Posted by alien878 View Post
    The contao:install-web-dir deletes it and breaks every image on the webpage.
    What do you mean by that?

  9. #9
    New user
    Join Date
    10-31-11.
    Posts
    28

    Default

    Thanks spooky for answering my questions so quickly.

    Quote Originally Posted by Spooky View Post
    You should not do that. Where did you read that?
    https://docs.contao.org/books/cookbo...structure.html

    Scroll down to /files.

    Quote Originally Posted by Spooky View Post
    What do you mean by that?
    Whenever I run composer to add an extension, the files symlink is removed. I assumed it was at the contao:install-web-dir which is run even when adding an extension. Also, in the backend maintenance, the rebuild symlinks will delete it.

    Eather way, my main issue is that after upgrading my sites from contao 3 to 4, all web page images include the "files" in the url (ex. img src="files/images/image.jpg"). If I delete the files symlink, they are all broken. I take it from what you are saying, the image url in the webpage should not include the files (ex. img src="images/image.jpg" ).

    It seems something isn't quite right since the contao upgrade. Maybe I am missing a setting somewhere?

    Cheers,

    Allen

  10. #10
    User Spooky's Avatar
    Join Date
    01-03-13.
    Posts
    339

    Default

    Quote Originally Posted by alien878 View Post
    Thanks spooky for answering my questions so quickly.



    https://docs.contao.org/books/cookbo...structure.html

    Scroll down to /files.
    It does not say that you should create those symlinks . It merely says, that the files in files/ are made available through symlinks. Those symlinks are generated by Contao - for folders that you have set to "public".




    Quote Originally Posted by alien878 View Post
    Eather way, my main issue is that after upgrading my sites from contao 3 to 4, all web page images include the "files" in the url (ex. img src="files/images/image.jpg"). If I delete the files symlink, they are all broken. I take it from what you are saying, the image url in the webpage should not include the files (ex. img src="images/image.jpg" ).

    It seems something isn't quite right since the contao upgrade. Maybe I am missing a setting somewhere?
    Did you set the folder "images" to be public?

  11. #11
    New user
    Join Date
    10-31-11.
    Posts
    28

    Default

    Quote Originally Posted by Spooky View Post
    It does not say that you should create those symlinks . It merely says, that the files in files/ are made available through symlinks. Those symlinks are generated by Contao - for folders that you have set to "public".
    Yeah, but the wording is a bit vague . After I upgraded 3 to 4, all images were broken. Investigating, I discovered all pages were rendered with images including the "files" (ex. img src="files/images/image.jpg"). Adding the files symlink fixed the images.

    If there is a better way to fix this, let me know. I would rather not have to edit every single image (100s) to fix this. If I remember correctly, I can't even change the images as the file chooser was also partially broken without the files symlink.

    Quote Originally Posted by Spooky View Post
    Did you set the folder "images" to be public?
    It was already set to public after the upgrade. All directories in files were set to public. I have tried turning it on/off, but the real problem seems to be that contao is rendering pages with the "files" in the image source names.

    FYI: My upgrade fun was documented here (final post describes what I did in the end): https://community.contao.org/en/show...h-workarounds)

  12. #12
    User Spooky's Avatar
    Join Date
    01-03-13.
    Posts
    339

    Default

    Quote Originally Posted by alien878 View Post
    It was already set to public after the upgrade. All directories in files were set to public. I have tried turning it on/off
    You need to make sure that Contao is able to generate these symlinks.

    Try the following:

    1. Delete the folder web/files/
    2. Execute composer install
    3. Check whether the the web/files/ folder is generated again and that it contains a symlink from web/files/images/ to ../files/images/




    Quote Originally Posted by alien878 View Post
    but the real problem seems to be that contao is rendering pages with the "files" in the image source names.
    No, that's normal.

  13. #13
    New user
    Join Date
    10-31-11.
    Posts
    28

    Default

    Ah, I see. web/files is a directory that contains the links.

    I deleted the files symlink, ran the "Re-create the symlinks" in the backend maintenance and a symlink for "images" appeared. My other two public folders didn't appear, but I just added the symlink by hand. Re-running the backend maintenance doesn't delete the ones I added.

    Not sure what happened with my webpage upgrade, but at least it appears I have things fixed. Thanks!

    BTW: Back to my original goal--I created a members only page with images from non-public folders. It sometimes works:

    • Adding an image to in-line text doesn't work
    • Using "Add an Image" to a text element does work
    • An image gallery does not work


    I can live without it though.

    Cheers,

    Allen

  14. #14
    User Spooky's Avatar
    Join Date
    01-03-13.
    Posts
    339

    Default

    You need to understand that files that are not in public folders can never be reached from the outside directly. It only works for the thumbnails, i.e. resized versions of those pictures - since the resized versions are stored in a publicly accessible folder.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •