This is the documentation for concrete5 version 5.6 and earlier. View Current Documentation

This is a continuation of Part 1


Block Hot-linking

Another way to protect your url's is though editing your .htaccess This method prevents hot-linking of specific filetypes this means the direct url to all files of the same type will only work if the user is on a site you allow through HTTP_REFERER this is a very broad approach

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)example.com/.*$[NC]
 RewriteRule\.(gif|jpg|jpeg|bmp|zip|rar|mp3|flv|swf|xml|php|png|css|pdf)$-[F]

*replace “example” with your “url” *you can omit any of the rewrite rules if you want to allow hot linking of that filetype this will also block files to social sites like facebook or google+, however you can add access by adding their urls with an extra rewrite condition it will look something like below

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)facebook.com/.*$[NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)googleplus.com/.*$[NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)example.com/.*$[NC]
 RewriteRule\.(gif|jpg|jpeg|bmp|zip|rar|mp3|flv|swf|xml|php|png|css|pdf)$-[F]

Block any file type unless concrete5 asks for it

However you can take .htaccess a bit further and block all files of a specific filetype from being served outside of C5 and restrict only to users who have permission. For this you need to block the files in .htaccess then write a php controller for C5 to have permission to serve the file. You do not need to move your files for this type of protection.

This method/example was written and provided by user Sadu for concrete 5.6

In his example he has chosen to block all .PDF and .DOC files to only C5 users how have permission, however you can easily add or omit any other filetypes

Step 1,

is to assign all PDF and DOC files that you want protected to a particular file set - eg "Restricted".

Step 2,

we block direct access to these filetypes via .htaccess.

RewriteRule ^files/(.+\.pdf)$ file_access/$1 [L]
RewriteRule ^files/(.+\.doc)$ file_access/$1 [L]
RewriteRule ^files/(.+\.docx)$ file_access/$1 [L]

Step 3,

we create a new single page on the site. This is a controller that we pass all PDF and DOC requests through, it will check permissions before serving the file.

Then you need to upload file_access.php into the controllers folder...


alt text

alt text

Then you need to upload a stub into the single_pages folder (file_access.php again)...

alt text


Step 4,

go to the dashboard and add a single page caled "file_access". Then go to sitemap and set the attributes so it doesn't show on the menu or in the sitemap etc.

Done

When someone requests a file - eg /files/1234/5678/9012/test.pdf Apache will pass that request to the file_access.php controller instead of serving direct.

The controller looks in the database for test.pdf and finds the correct one if there are several. This is slightly hacky as there is no C5 method for looking up a file by URL (AFAIK). It then looks for the sets the file belongs to and sees if it's in the 'Restricted' set. If it is, then you get an error message instead of the file. If it doesn't belong to that set, or if you are an administrator, then it serves the file to the browser.

The net result is that you can protect PDF and DOC files that belong to a particular set, even if someone knows the URL. This will slow down the performance of these types of files as you are introducing PHP and some DB queries, but won't affect the speed of images which is the bigger concern. It will NOT protect any filetype that is not specified in your .htaccess rules, even if you add it to the restricted group.

Hopefully this solution helps some people. Like many, I was not happy with the concept that private files are unprotected in the file manager if someone knows the URL. This strikes a good balance between security, performance, and ease of install I think.

I'd welcome any comments or improvements on this. Note I whipped this up pretty quick so there are definitely improvements that can be made.

http://www.concrete5.org/community/forums/customizing_c5/restricting-files-access/#519498

Loading Conversation