I need to make sure a folder containing files can only have its contents accessed by logged in users. I posted on another thread here:
Can anyone help me achieve this the best way in Wappler?
I need to make sure a folder containing files can only have its contents accessed by logged in users. I posted on another thread here:
Can anyone help me achieve this the best way in Wappler?
I also would be very interested in a solution. This would solve a lot of problems I have with stroring files outside of root.
This would be very useful and I look forward to a guide via Wappler.
@sitestreet
You can disable directory listing and accessing the files via direct link using .htaccess so it will never be possible to access a file using its link even for logged in users. You then allow access to the files from your web server only.
Then you can create a server action which dowloads the file(s) and protect it using security restrict, so only logged users can run it. Run in on button click.
Thanks @Teodor, I hoped that would be the case. Do you have any example code for the .htaccess file?
Would this do the job?
deny from all
I’m using:
RewriteRule .*_files.* / [NC,F]
where _files
is my files folder located in the site root. It will show forbidden if you direct link to a file inside or try to browse it.
Brilliant, thanks @Teodor.
I’ve created the server action using various actions including security provider. The ‘File Download’ is showing me raw output in the console (it’s a PDF) but isn’t downloading or opening in the browser. Am I doing something wrong?
These steps should be downloading the files perfectly fine. How are you executing the server action?
I’m executing it as a mouse click and putting in the relevant fileid into the GET field.
How are you running your server action? It should be executed via an anchor button/link.
You can either directly link it, or use the routing to create a server connect routing.
Aah, OK. Will make it a link instead of a mouse click.
I ended up using this in the .htaccess file:
Order allow,deny
Deny from all
Seems to work perfectly. Can anyone confirm or reject this as a good solution?
Using the [F]
(forbidden) flag is pretty much the same as using Deny
in this case, so you should be fine using Deny
.
Excellent. Thanks again @Teodor. By using the Deny method I’ve been able to put it in my main /files
folder and it secures all the folders beneath it automatically. I’ve then used routing to hide the real paths, too. Perfect solution.