Securing files in a folder so they can only be accessed by logging in

Wappler General How To
#1

I need to make sure a folder containing files can only have its contents accessed by logged in users. I posted on another thread here:

https://community.wappler.io/t/secure-file-download-from-a-path-outside-of-website-root/4765/49?u=sitestreet

Can anyone help me achieve this the best way in Wappler?

1 Like
How to secure uploaded files?
How to protect uploaded files?
Need for Postgresql Database photo storage
File security question
#2

I also would be very interested in a solution. This would solve a lot of problems I have with stroring files outside of root.

#3

This would be very useful and I look forward to a guide via Wappler.

#4

@sitestreet
You can disable directory listing and accessing the files via direct link using .htaccess so it will never be possible to access a file using its link even for logged in users. You then allow access to the files from your web server only.

Then you can create a server action which dowloads the file(s) and protect it using security restrict, so only logged users can run it. Run in on button click.

1 Like
Security question
#5

Thanks @Teodor, I hoped that would be the case. Do you have any example code for the .htaccess file?

Would this do the job?

deny from all

#6

I’m using:

RewriteRule .*_files.* / [NC,F]

where _files is my files folder located in the site root. It will show forbidden if you direct link to a file inside or try to browse it.

2 Likes
#7

Brilliant, thanks @Teodor.

I’ve created the server action using various actions including security provider. The ‘File Download’ is showing me raw output in the console (it’s a PDF) but isn’t downloading or opening in the browser. Am I doing something wrong?

Screenshot 2020-04-17 at 10.24.02
Screenshot 2020-04-17 at 10.24.02738×1330 95.9 KB

#8

These steps should be downloading the files perfectly fine. How are you executing the server action?

#9

I’m executing it as a mouse click and putting in the relevant fileid into the GET field.

#10

How are you running your server action? It should be executed via an anchor button/link.
You can either directly link it, or use the routing to create a server connect routing.

#11

Aah, OK. Will make it a link instead of a mouse click.

#12

That’s sorted it. Thanks again @Teodor. Security now in place :slight_smile:

1 Like
#13

I ended up using this in the .htaccess file:

Order allow,deny
Deny from all

Seems to work perfectly. Can anyone confirm or reject this as a good solution?

2 Likes
Secure File Download from a path outside of website root
Do I need DigitalOcean S3 to secure files uploaded to my website?
#14

Using the [F] (forbidden) flag is pretty much the same as using Deny in this case, so you should be fine using Deny.

1 Like
#15

Excellent. Thanks again @Teodor. By using the Deny method I’ve been able to put it in my main /files folder and it secures all the folders beneath it automatically. I’ve then used routing to hide the real paths, too. Perfect solution. :slight_smile:

2 Likes
#16

7 posts were split to a new topic: Disable direct file downloads on NodeJS