[TYPO3-english] typo3 7.5 file access control

Xavier Perseguers xavier.perseguers at typo3.org
Thu Oct 22 08:45:50 CEST 2015


Hi,

> With Typo3 7.5 and extension advanced file metadata, there's the
> "access" tab for each file. In this tab, one can specify fe_groups with
> access granted for the file.
> Even if a file has a group indicated, it can be called directly by its url.

Yes, because there is no actual restriction implemented for files in
Core. You need to implement it on your own (or use a non-core extension).

> So, I don't know how to secure my files, natively, I don't want to use
> non-core extensions.

You'll be very limited or have to code on your own, thus have additional
maintenance to do yourself.

Strictly said, I agree that Core comes with many many system extensions
which deal with more or less everything a basic website needs (and a bit
more). However when it comes to "special requirements" and restricting
access to assets based on user groups is such a typical special
requirement, or authenticating with LDAP or... you will have to either
code it yourself or rely on some non-core extension. The wish for Core
is even to move some (currently) system extensions to TER since they are
of no use for simple websites and it's better not to bloat the Core with
possibly mainly useless extensions.

How to choose a non-core extension to use in your website? There is no
simple rule for that, it's often - at some point - a matter of taste but
some ideas:

- Once you successfully find some "good" extension, I would slightly
more trust the same author for another extension since chances are quite
high the same "quality" applies to her/his other maintained extensions

- Check how well maintained the extension is, does it have a link to the
bug tracker, does it stick to semantic versioning, is there a proper
release message telling you "what" was updated?

- How many downloads? It's not a real number but it gives you an idea if
some user base exists or if it is only used internally and was published
"for nothing"

- Does it come with some documentation or either with nothing or a
sample documentation file which was not either removed or changed? I'd
basically suggest to NOT use any installation without any doc, even if
there is none really "needed". Having a doc even short is IMHO a sign of
quality

Kind regards

-- 
Xavier Perseguers
TYPO3 CMS Team

TYPO3 .... inspiring people to share!
Get involved: http://typo3.org


More information about the TYPO3-english mailing list