[TYPO3-english] Restrict access to files referenced on pages
bernd wilke
t3ng at bernd-wilke.net
Tue Nov 25 08:35:12 CET 2014
Am 24.11.14 22:52, schrieb Christoph Holtermann:
> Hello,
>
> is there a possibility or extension to restrict access to files
> in folders to files that are being referenced by active pages ?
> So if I have page A where file B can be downloaded I want to
> stop access to file B when page A goes offline (deleted
> or inactive).
>
> I believe that in general I have all my files in a download folder
> that can be accessed from the outside and every link on a
> page in TYPO3 to such file is just a link and if copy that link
> I can access that file all the time even if the page got deleted.
> If the page exists doesn't matter because it's just a collection
> of links to my download folder.
>
> I know that in mediawiki there is an extension that changes
> the behavior so that all files are in an restricted area that
> can not be accessed from the outside. The link on a page
> fetches the file, maybe generates a dynamic copy of that
> file or however that may be handled there. The effect is that
> the file can only be accessed via the page / the link makes
> a call to the system first to ask if the file is active and only then
> grants access.
>
> The thing is that access to files by google etc. shall be limited
> to the files on online pages.
you need to transfer the files by a script which only transfers data if
the page is active.
first part is a htaccess so no file can be accessed directly from outside.
second: the script must be bound to the visibility of the page,
otherwise the file can be always accessed by script.
if you transmit the filepath as parameter to the transfer-script you get
no controll. but you can use records on the page which contain the
filepath. the script gets a record uid and with that you can check: is
the page visible by using the record pid, then transfer the file
(filepath (or FAL-ID) stored in record), otherwise: return with
appropiate error 404/500/...
another way would be to grant only temporary access to the files.
for each page request (or cache build) generate a unique code valid just
for (cache lifetime!) 10 minutes.
you may use temp-records or compute some url-parameters: filepath,
validtime, hashcode to protect.
maybe you can use cHash to hide the url-parameters in the cHash-record
bernd
--
http://www.pi-phi.de/cheatsheet.html
More information about the TYPO3-english
mailing list