PortalParts.com Site

 Forum Index > Geeklog > Filemgmt Plugin Support New Topic Post Reply
 Want to prevent anonymous access by filename
 |  Printable Version
lfa
 March 31 2004 07:35 AM (Read 9712 times)  
Forum Full Poster
Full Poster

Status: offline

Registered: 03/28/04
Posts: 17

(By the way, I just installed the 1.3 RC1 beta as a fresh install, and all went well.)

I know a lot of questions have been asked on the subject of permissions, but I can't seem to find the answer to this one.

My ISP doesn't allow me to chown files, so it seems that I have to set the permission on the filemgmt_data directory and subdirectories to 777 in order for upload to work.

1) If I configure the filemgmt plugin to deny anonymous access to files, I don't see any way to prevent an anonymous user from downloading a file if they can guess the filename.

2) It seems like the above would be true even if I were allowed to chown the directories so that they were owned by the web server.

Are 1) and 2) right or am I missing something?


 
Profile Email Website PM
Quote
Blaine
 March 31 2004 08:51 AM  
Forum Admin
Admin

Status: offline

Registered: 03/01/02
Posts: 3576

The download script "visit.php" checks that members have access privilages so if you block anonymous access, then users won't be able to access the files from the plugin.

Anyone can can still download the file if they know the full url with filename to the remote file. You would have to protect files using .htaccess if you think files are being downloaded that way.


Please consider contributing to support my efforts ..
 
Profile Email Website PM
Quote
lfa
 March 31 2004 09:10 AM  
Forum Full Poster
Full Poster

Status: offline

Registered: 03/28/04
Posts: 17

So a .htaccess file could be used to prevent anonymous access to the files by full URL, but still allow access by logged-in users? Can you give me an idea of the approach I'd need to use in the .htaccess file to allow logged-in users?


 
Profile Email Website PM
Quote
Blaine
 March 31 2004 09:21 AM  
Forum Admin
Admin

Status: offline

Registered: 03/01/02
Posts: 3576

Off-hand, I don't have the .htaccess configuration to do that. I've seen some pretty security features inplemented via .htaccess and but I would need to research that. Maybe other members have more information or suggestions.


Please consider contributing to support my efforts ..
 
Profile Email Website PM
Quote
lfa
 March 31 2004 09:25 AM  
Forum Full Poster
Full Poster

Status: offline

Registered: 03/28/04
Posts: 17

Fair enough, I'm happy to research .htaccess. Just one more question, which is geeklog specific: what difference between a logged-in user and an anonymous user should .htaccess test for? Is it a matter of a cookie that it could read? Or a header in the HTTP GET request?


 
Profile Email Website PM
Quote
Content generated in: 0.18 seconds
New Topic Post Reply



 All times are CDT. The time is now 12:41 AM.
Normal Topic Normal Topic
Locked Topic Locked Topic
Sticky Topic Sticky Topic
New Post New Post
Sticky Topic W/ New Post Sticky Topic W/ New Post
Locked Topic W/ New Post Locked Topic W/ New Post
View Anonymous Posts 
Anonymous users can post 
Filtered HTML Allowed 
Censored Content