Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2008-11-14 17:25:53

leonardochen
Member
Registered: 2008-11-14
Posts: 11

Password protect file download

Hello

My TXP site hosts a bunch of files. Some of them need to be password protected.
I used .htaccess to protect the section that has links to these files, but they can still be downloaded directly if the person knows the link to them.

Any plugins that would ask for a password if someone tries to download a file of category “board-only”?

Thanks
Leo

Offline

#2 2008-11-14 22:07:10

shi
Member
Registered: 2005-12-09
Posts: 34

Re: Password protect file download

ign_password_protect can hide parts of the page if you are not logged in Textpattern, or try rvm_privileged

Last edited by shi (2008-11-14 22:10:07)

Offline

#3 2008-11-14 23:04:47

leonardochen
Member
Registered: 2008-11-14
Posts: 11

Re: Password protect file download

Thanks, that’s a good direction but I think I will need something more.
It seems that I can download any files from a TXP website if I go to
http://www.mysite.org/file_download/4
where 4 is the ID of the file I want to download.

Once I know what is the folder where the files are stored, I can download all of the others, including the ones that were supposed to be private.
http://www.mysite.org/file_download/5
http://www.mysite.org/file_download/6

If I could tell TXP to save files from category “private” in a folder “secure” inside the file_download, then I could protect it with an .htaccess, and leave the public files outside.

Any more ideas?

Offline

#4 2008-11-14 23:06:17

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,250
Website GitHub

Re: Password protect file download

leonardochen wrote:

I used .htaccess to protect the section that has links to these files, but they can still be downloaded directly if the person knows the link to them.

This is a problem I’ve encountered in the past. Like you, I tried the .htaccess route which stopped the dir listing but a direct hit bypassed the check; and I’m not good enough with .htaccess to find a way to stop it. I’m sure someone else is.

I don’t know the full capabilities of the two plugins shi mentioned, but I suspect they can’t stop files being downloaded. Would love to be proved wrong. In the TXP core there is a hook that can be utilised to offer some mechanism for a plugin to intercept a file_download event. It’d be easy enough to write something that pops up a password prompt but it probably won’t stop a direct hit on the /files directory. So there doesn’t seem much point writing one in isolation :-(

Thus, playing devil’s advocate here, I have a few general questions about what you are trying to achieve:

  1. If you could offer a password box for all files of a particular category (which is easy enough to do for /file_download requests but non-trivial for /files accesses), who are you protecting the files from? Is it people with TXP logins who don’t have sufficient privs? Or casual web surfers?
  2. Who would know the password? Just you? If not just you, what if whoever knew the password gave it to someone else?
  3. Are the files in that category sensitive such that it must not be accessed by unauthorised users (in which case a password is probably not adequate security anyway, unless you set a particularly fiendish one!) or is it just to keep the amateurs out?

If you think about the scope of this requirement from that perspective it might steer you (and us) towards a suitable solution.

For example, it may be more effective to move the files to a non-web-accessible location in your file tree. You can either do this manually via FTP (if there aren’t so many files and it’s just you managing them) and intercept calls to file_download to ask for a password before retrieving and serving them from their new location. Or, if uploading files rests with your client(s), a plugin could intercept uploads via the interface as well and ferret the files away to the secure location.

The reason I ask all this is because I’ve written a plugin to store files within TXP that are actually served from remote web locations (smd_remote_file). The plugin’s due for a rewrite one day, so in the process it may not be a great leap of faith to add a tickbox to offer to move such files to/from a nominated “secure” location within your own file tree, outside the web root. I don’t know, I’m just thinking out loud here.

So if you could define what you’re hoping to achieve I might be able to help, given a bit of time. If I can’t help in this way, there are enough .htaccess gurus out there who could probably help you write some bulletproof rules to at least stop anybody being sent any files from the /files dir even if they know the filename!


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#5 2008-11-15 00:52:35

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: Password protect file download

Bloke wrote:

So if you could define what you’re hoping to achieve I might be able to help, given a bit of time. If I can’t help in this way, there are enough .htaccess gurus out there who could probably help you write some bulletproof rules to at least stop anybody being sent any files from the /files dir even if they know the filename!

Simplest protection methods should work, depending on the server of course. In example:

Most servers i have been on (cheap webhotels), don’t even allow .htaccess protection, so the latter is farmore better. Also it’s way more secure too, and kinda simple to do. That way you can only download file from the server via PHP (that is the point why you should move the dir – no one can download the file directly from the dir), but usually that doesn’t matter if server is quality one; no small memory limit or choking server (note: PHP download scripts are bad idea on cheap hosts, but http-downloads are always bad (not bit check [often file damages because of that], hayshack, not anything), so why worry).

Last edited by Gocom (2008-11-15 00:58:54)

Offline

#6 2008-11-17 03:52:09

leonardochen
Member
Registered: 2008-11-14
Posts: 11

Re: Password protect file download

Thanks for the ideas. We’re getting there :)

The website if for a non-profit organization and at the present time I have 2 categories of users: public and board. The public users can download files such as annual reports, volunteer forms, etc basically public information.

The board users have access to more files such as letterheads, templates, phone number of board members, etc. They are not business critical information, but I’d like to protect it since my contact info is there. Currently we store all of the files in a folder protected by .htaccess and we use a common password since the board is a small group of 5 people. An index.html page in that same folder provides a list to all of the files.
You must provide the password to download any file (even with a direct link) or to access the index. However, every time a new file is added (via FTP), I need to update the index with the right link.

I wanted to use the file upload facilities of TXP with 2 file categories: public and board. Links to public files exist throughout the website. A special article would list all files from the board category, with descriptions and links to all of them.
When a new file is added, TXP would update the index article automatically. This article could even be public, as long as users are asked for a password when they try to download the files. Right now I’m the only person that posts board files because I’m the only one that can edit the index.

Being able to store files of a category on a directory of my choosing would work well for me. All I need to do is to protect that folder with a .htaccess. Public files stay on a folder accessible by the world.

I think Bloke’s idea could work, but I would need to upload the files via FTP to a safe folder and then create an entry in TXP.

Offline

#7 2009-01-03 00:28:02

els
Moderator
From: The Netherlands
Registered: 2004-06-06
Posts: 7,458

Re: Password protect file download

Gocom wrote:

Move files dir outside of the public file tree – that way files can only be accessed by server itself aka by Textpattern.

the latter is farmore better. Also it’s way more secure too, and kinda simple to do. That way you can only download file from the server via PHP

Can anyone tell me how I would point to those files from within Txp? Let’s say I create a directory ‘audio’ on the same level as ‘httpdocs’, so if the document root is /path/to/httpdocs/ I would need to point to /path/to/audio/file.mp3 to be able to play it in an audio player on the site. That is, if I correctly understood what Gocom said…

Offline

#8 2009-01-08 16:49:33

leonardochen
Member
Registered: 2008-11-14
Posts: 11

Re: Password protect file download

If I understood his proposal correctly, the files would be accessible through TXP. In other words, you define the “File directory path” (Admin,Preferences,Advanced) to /path/to/audio.

Then you upload your audio files using TXP,Content,Files and access them through the TXP links.

Unfortunately that doesn’t work for me since anyone can download them using the file ID. I’m still experimenting with what Bloke suggested.

Offline

#9 2009-01-08 17:05:07

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,007
Website GitHub Mastodon Twitter

Re: Password protect file download

leonardochen wrote:

Unfortunately that doesn’t work for me since anyone can download them using the file ID.

would yab_download help?


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#10 2010-10-25 22:03:04

alanfluff
Member
From: Ottawa, Canada
Registered: 2008-09-15
Posts: 222
Website

Re: Password protect file download

Hi Stef, folks,

I can see a requirement for this coming my way and I was wondering if in the intervening time anything has happened with the neat solution of TXP accessing content that is not web/http available

  1. not relying on .htaccess
  2. guaranteeing that no URLs could get found that could allow uncontrolled access.

Specifically I was wondering if smd_remote_file could treat non-web accessible folders on the same host the site is on as the location where files were held.

I quickly tried and couldn’t see a way to do that yet with the v0.43 of your plugin on TXP 4.2.0.

It seems as if such a solution would be neat. Unless I am missing the plot* (*as per usual).

Is this do-able now or might it be one day, via a chargeable plugin perhaps?

Thanks in advance for any comments.

Cheers, -Alan


At LAST I’ve cheerfully donated to the core devs at #TXP. I only wish I were able to give more. Thanks to the devs and ALL fellow TXPers. -A

Offline

#11 2010-10-25 22:40:56

net-carver
Archived Plugin Author
Registered: 2006-03-08
Posts: 1,648

Re: Password protect file download

@Alan

you wrote:

Hi Stef, folks,

I can see a requirement for this coming my way and I was wondering if in the intervening time anything has happened with the neat solution of TXP accessing content that is not web/http available

  1. not relying on .htaccess
  2. guaranteeing that no URLs could get found that could allow uncontrolled access.

<snip>

Is this do-able now or might it be one day, via a chargeable plugin perhaps?

Yes, I have a for-pay set of library routines (not a plugin) that allow this. I developed these to allow instant digital downloads (amongst a range of other things) so there is an option to integrate with paypal IPN messages if needed — but the two parts are very easily decoupled if you only need protected file access.

Files are stored outside the web root and the library gives you a choice of what kind of access protection to provide. You can have files password protected (or not), with a limited number of downloads, or an expiry date, or a mixture of all of the preceding. There’s even a one-time-pad implementation should you require a different password for each individual download of a protected file.

Please get in contact via forum email if you’d like to discuss your requirements further.


Steve

Offline

#12 2010-10-26 12:29:21

alanfluff
Member
From: Ottawa, Canada
Registered: 2008-09-15
Posts: 222
Website

Re: Password protect file download

Thanks Steve :)

I just replied via forum email.

Cheers, -Alan


At LAST I’ve cheerfully donated to the core devs at #TXP. I only wish I were able to give more. Thanks to the devs and ALL fellow TXPers. -A

Offline

Board footer

Powered by FluxBB