Password protect file download

leonardochen · 2008-11-14 17:25:53

Hello

My TXP site hosts a bunch of files. Some of them need to be password protected.
I used .htaccess to protect the section that has links to these files, but they can still be downloaded directly if the person knows the link to them.

Any plugins that would ask for a password if someone tries to download a file of category “board-only”?

Thanks
Leo

shi · 2008-11-14 22:07:10

ign_password_protect can hide parts of the page if you are not logged in Textpattern, or try rvm_privileged

Last edited by shi (2008-11-14 22:10:07)

leonardochen · 2008-11-14 23:04:47

Thanks, that’s a good direction but I think I will need something more.
It seems that I can download any files from a TXP website if I go to
http://www.mysite.org/file_download/4
where 4 is the ID of the file I want to download.

Once I know what is the folder where the files are stored, I can download all of the others, including the ones that were supposed to be private.
http://www.mysite.org/file_download/5
http://www.mysite.org/file_download/6
…

If I could tell TXP to save files from category “private” in a folder “secure” inside the file_download, then I could protect it with an .htaccess, and leave the public files outside.

Any more ideas?

Bloke · 2008-11-14 23:06:17

leonardochen wrote:

I used .htaccess to protect the section that has links to these files, but they can still be downloaded directly if the person knows the link to them.

This is a problem I’ve encountered in the past. Like you, I tried the .htaccess route which stopped the dir listing but a direct hit bypassed the check; and I’m not good enough with .htaccess to find a way to stop it. I’m sure someone else is.

I don’t know the full capabilities of the two plugins shi mentioned, but I suspect they can’t stop files being downloaded. Would love to be proved wrong. In the TXP core there is a hook that can be utilised to offer some mechanism for a plugin to intercept a file_download event. It’d be easy enough to write something that pops up a password prompt but it probably won’t stop a direct hit on the /files directory. So there doesn’t seem much point writing one in isolation :-(

Thus, playing devil’s advocate here, I have a few general questions about what you are trying to achieve:

If you could offer a password box for all files of a particular category (which is easy enough to do for /file_download requests but non-trivial for /files accesses), who are you protecting the files from? Is it people with TXP logins who don’t have sufficient privs? Or casual web surfers?
Who would know the password? Just you? If not just you, what if whoever knew the password gave it to someone else?
Are the files in that category sensitive such that it must not be accessed by unauthorised users (in which case a password is probably not adequate security anyway, unless you set a particularly fiendish one!) or is it just to keep the amateurs out?

If you think about the scope of this requirement from that perspective it might steer you (and us) towards a suitable solution.

For example, it may be more effective to move the files to a non-web-accessible location in your file tree. You can either do this manually via FTP (if there aren’t so many files and it’s just you managing them) and intercept calls to file_download to ask for a password before retrieving and serving them from their new location. Or, if uploading files rests with your client(s), a plugin could intercept uploads via the interface as well and ferret the files away to the secure location.

The reason I ask all this is because I’ve written a plugin to store files within TXP that are actually served from remote web locations (smd_remote_file). The plugin’s due for a rewrite one day, so in the process it may not be a great leap of faith to add a tickbox to offer to move such files to/from a nominated “secure” location within your own file tree, outside the web root. I don’t know, I’m just thinking out loud here.

So if you could define what you’re hoping to achieve I might be able to help, given a bit of time. If I can’t help in this way, there are enough .htaccess gurus out there who could probably help you write some bulletproof rules to at least stop anybody being sent any files from the /files dir even if they know the filename!

Gocom · 2008-11-15 00:52:35

Bloke wrote:

So if you could define what you’re hoping to achieve I might be able to help, given a bit of time. If I can’t help in this way, there are enough .htaccess gurus out there who could probably help you write some bulletproof rules to at least stop anybody being sent any files from the /files dir even if they know the filename!

Simplest protection methods should work, depending on the server of course. In example:

Place .htaccess-file with password prompt to the files dir
Move files dir outside of the public file tree – that way files can only be accessed by server itself aka by Textpattern.

Most servers i have been on (cheap webhotels), don’t even allow .htaccess protection, so the latter is farmore better. Also it’s way more secure too, and kinda simple to do. That way you can only download file from the server via PHP (that is the point why you should move the dir – no one can download the file directly from the dir), but usually that doesn’t matter if server is quality one; no small memory limit or choking server (note: PHP download scripts are bad idea on cheap hosts, but http-downloads are always bad (not bit check [often file damages because of that], hayshack, not anything), so why worry).

Last edited by Gocom (2008-11-15 00:58:54)

leonardochen · 2008-11-17 03:52:09

Thanks for the ideas. We’re getting there :)

The website if for a non-profit organization and at the present time I have 2 categories of users: public and board. The public users can download files such as annual reports, volunteer forms, etc basically public information.

The board users have access to more files such as letterheads, templates, phone number of board members, etc. They are not business critical information, but I’d like to protect it since my contact info is there. Currently we store all of the files in a folder protected by .htaccess and we use a common password since the board is a small group of 5 people. An index.html page in that same folder provides a list to all of the files.
You must provide the password to download any file (even with a direct link) or to access the index. However, every time a new file is added (via FTP), I need to update the index with the right link.

I wanted to use the file upload facilities of TXP with 2 file categories: public and board. Links to public files exist throughout the website. A special article would list all files from the board category, with descriptions and links to all of them.
When a new file is added, TXP would update the index article automatically. This article could even be public, as long as users are asked for a password when they try to download the files. Right now I’m the only person that posts board files because I’m the only one that can edit the index.

Being able to store files of a category on a directory of my choosing would work well for me. All I need to do is to protect that folder with a .htaccess. Public files stay on a folder accessible by the world.

I think Bloke’s idea could work, but I would need to upload the files via FTP to a safe folder and then create an entry in TXP.

els · 2009-01-03 00:28:02

Gocom wrote:

Move files dir outside of the public file tree – that way files can only be accessed by server itself aka by Textpattern.
…
the latter is farmore better. Also it’s way more secure too, and kinda simple to do. That way you can only download file from the server via PHP

Can anyone tell me how I would point to those files from within Txp? Let’s say I create a directory ‘audio’ on the same level as ‘httpdocs’, so if the document root is /path/to/httpdocs/ I would need to point to /path/to/audio/file.mp3 to be able to play it in an audio player on the site. That is, if I correctly understood what Gocom said…

leonardochen · 2009-01-08 16:49:33

If I understood his proposal correctly, the files would be accessible through TXP. In other words, you define the “File directory path” (Admin,Preferences,Advanced) to /path/to/audio.

Then you upload your audio files using TXP,Content,Files and access them through the TXP links.

Unfortunately that doesn’t work for me since anyone can download them using the file ID. I’m still experimenting with what Bloke suggested.

colak · 2009-01-08 17:05:07

leonardochen wrote:

Unfortunately that doesn’t work for me since anyone can download them using the file ID.

would yab_download help?

alanfluff · 2010-10-25 22:03:04

Hi Stef, folks,

I can see a requirement for this coming my way and I was wondering if in the intervening time anything has happened with the neat solution of TXP accessing content that is not web/http available

not relying on .htaccess
guaranteeing that no URLs could get found that could allow uncontrolled access.

Specifically I was wondering if smd_remote_file could treat non-web accessible folders on the same host the site is on as the location where files were held.

I quickly tried and couldn’t see a way to do that yet with the v0.43 of your plugin on TXP 4.2.0.

It seems as if such a solution would be neat. Unless I am missing the plot* (*as per usual).

Is this do-able now or might it be one day, via a chargeable plugin perhaps?

Thanks in advance for any comments.

Cheers, -Alan

net-carver · 2010-10-25 22:40:56

@Alan

you wrote:

Hi Stef, folks,

I can see a requirement for this coming my way and I was wondering if in the intervening time anything has happened with the neat solution of TXP accessing content that is not web/http available

not relying on .htaccess

guaranteeing that no URLs could get found that could allow uncontrolled access.

<snip>

Is this do-able now or might it be one day, via a chargeable plugin perhaps?

Yes, I have a for-pay set of library routines (not a plugin) that allow this. I developed these to allow instant digital downloads (amongst a range of other things) so there is an option to integrate with paypal IPN messages if needed — but the two parts are very easily decoupled if you only need protected file access.

Files are stored outside the web root and the library gives you a choice of what kind of access protection to provide. You can have files password protected (or not), with a limited number of downloads, or an expiry date, or a mixture of all of the preceding. There’s even a one-time-pad implementation should you require a different password for each individual download of a protected file.

Please get in contact via forum email if you’d like to discuss your requirements further.

alanfluff · 2010-10-26 12:29:21

Thanks Steve :)

I just replied via forum email.

Cheers, -Alan

net-carver · 2010-10-27 00:54:37

The solution seems to be really quite simple — and it doesn’t have to involve any paid-for software and can be done in Txp with one, existing, plugin.

Here’s how you do it…

Gocom was correct to suggest using a folder outside your site root. So, create your folder … let’s call it ‘myfiles’ outside your site root.
Go to admin > prefs > advanced and change the absolute path Txp is going to use for your files in File directory path to point to the ‘myfiles’ directory you just created. Files can no longer be directly downloaded from mysite.tld\files so no .htaccess tricks needed. mysite.tld\file_download is now the only way to get the files and we are about to add a lock to that door…
Grab, install and enable the ign_password_protect plugin. Switch it over to using its own tables and don’t let it authenticate against the Txp user table.
Upload all your files through the Txp files tab as usual — but notice with ign_password_protect you can now assign each file a permission. In Leo’s case he’d want to assign public files the permission called None and just one of the non-zero ‘Levels’ to be his ‘Board Only’ permissions before he saves anything that is for their eyes only.
All ‘eyes-only’ files should be added to a file category that you need to create called ‘Board-Only.’
Create logins for all the board members¹ and assign them privs to access the single ‘Board only’ permission you are using for their files.
Create a section called ‘Board-Only’, give it a whole page template if you want or just add a corresponding if_section conditional into the default page template.
Inside that section add the ign_password_protect tags that require board-members to login. See the plugin documentation for help with this.
Within the login tags, create your list of file download links that are of file category ‘Board-Only’

Tada! Legit board members should now be able to login to their private section and see the links to all files of category ‘board-only’. ign_password_protect should allow them to download the files via the links. Other, non-board visitors, even if they guess a board-only link, should no longer be able to download the file.

Here endeth the theory. I’ve checked out most of this but not everything suggested here — I leave that as homework for interested parties.

¹ Actually, Leo, I think you could probably get away with a single ‘Board’ login that all board members can share if you never need to make any further distinction between what different board members can download. This would simplify user management a little if there are a lot of folks on the board.

alanfluff · 2010-10-27 14:30:22

Steve, you are a gentleman and a scholar!

THANK you :D

Cheers, -Alan

net-carver · 2010-10-31 23:14:36

Leo, Alan

Did this work out for either of you? Please let me know if anything breaks down for you or if all goes well.

Textpattern CMS

Textpattern CMS support forum

#1 2008-11-14 17:25:53

Password protect file download

#2 2008-11-14 22:07:10

Re: Password protect file download

#3 2008-11-14 23:04:47

Re: Password protect file download

#4 2008-11-14 23:06:17

Re: Password protect file download

#5 2008-11-15 00:52:35

Re: Password protect file download

#6 2008-11-17 03:52:09

Re: Password protect file download

#7 2009-01-03 00:28:02

Re: Password protect file download

#8 2009-01-08 16:49:33

Re: Password protect file download

#9 2009-01-08 17:05:07

Re: Password protect file download

#10 2010-10-25 22:03:04

Re: Password protect file download

#11 2010-10-25 22:40:56

Re: Password protect file download

#12 2010-10-26 12:29:21

Re: Password protect file download

#13 2010-10-27 00:54:37

Re: Password protect file download

#14 2010-10-27 14:30:22

Re: Password protect file download

#15 2010-10-31 23:14:36

Re: Password protect file download

Board footer