[TYPO3-dam-devel] RFC #14009: Feature: Enable secure downloads for DAM files

François Suter fsu-lists at cobweb.ch
Mon Feb 14 17:55:34 CET 2011 

This is an SVN patch request.

Type: New feature

Bugtracker references:
http://bugs.typo3.org/view.php?id=14009

Branches:
Trunk

Problem:
The DAM implements its own typolink method for the media tag (in 
binding/mediatag/class.tx_dam_tsfemediatag.php). This "variant" of 
typolink does not fully support secure downloads via the Jump URL mechanism.

Solution:
The attached patch implements the full secure download functionality. 
This entails two parts:

1) modifying tx_dam_tsfemediatag::typoLink() to support secure download 
as could be expected from the TypoScript typolink properties (i.e. 
setting the jumpurl.secure property to 1). The implementation I propose 
makes use of the locationData GET variable to pass DAM-related 
information in the URL. This way it is not necessary to pass the path to 
the file (which jumpurl normally does) and thus reveal it to the wide world.

2) calculating the jumpurl based on the locationData GET variable so 
that the file can be downloaded. This is achieved by using the 
checkDataSubmission hook from tslib_fe and calling a method which I 
added to tx_dam_tsfe. This method fetches the DAM record corresponding 
to the information from the locationData. User rights are taken into 
account during the call to tx_dam::media_getByUid(), which means that 
the jumpurl will be empty if the user doesn't have rights to the file. 
An error message is issued at that point. A hook is provided for custom 
error handling.

Test scenario:
1) create a simple text content element and make a link to some media 
elements (both with and without access rights).

2) activate the secure download feature with the following TS:

plugin.tx_dam_tsfemediatag.tag.typolink.jumpurl = 1
plugin.tx_dam_tsfemediatag.tag.typolink.jumpurl.secure = 1

3) view the content. The URL should follow the jumpurl pattern and the 
file path should not be visible. If you're not logged in with the proper 
FE user, there should be no link at all (nothing new here). Try clicking 
on the links. All files should download properly. Now copy the link to 
one of the access-protected file and copy it in another browser where 
you don't have a FE session. You should get the error message.

I hope this is clear enough, just ask if not ;-)

Notes:
This development was sponsored by the City of Geneva.

Cheers

-- 
Francois Suter
Cobweb Development Sarl - http://www.cobweb.ch

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 14009.diff
URL: <http://lists.typo3.org/pipermail/typo3-team-dam/attachments/20110214/e4d95faa/attachment.asc>

More information about the TYPO3-team-dam mailing list