[TYPO3-dam-devel] RFC #14009: Feature: Enable secure downloads for DAM files
François Suter
fsu-lists at cobweb.ch
Mon Feb 14 17:55:34 CET 2011
This is an SVN patch request.
Type: New feature
Bugtracker references:
http://bugs.typo3.org/view.php?id=14009
Branches:
Trunk
Problem:
The DAM implements its own typolink method for the media tag (in
binding/mediatag/class.tx_dam_tsfemediatag.php). This "variant" of
typolink does not fully support secure downloads via the Jump URL mechanism.
Solution:
The attached patch implements the full secure download functionality.
This entails two parts:
1) modifying tx_dam_tsfemediatag::typoLink() to support secure download
as could be expected from the TypoScript typolink properties (i.e.
setting the jumpurl.secure property to 1). The implementation I propose
makes use of the locationData GET variable to pass DAM-related
information in the URL. This way it is not necessary to pass the path to
the file (which jumpurl normally does) and thus reveal it to the wide world.
2) calculating the jumpurl based on the locationData GET variable so
that the file can be downloaded. This is achieved by using the
checkDataSubmission hook from tslib_fe and calling a method which I
added to tx_dam_tsfe. This method fetches the DAM record corresponding
to the information from the locationData. User rights are taken into
account during the call to tx_dam::media_getByUid(), which means that
the jumpurl will be empty if the user doesn't have rights to the file.
An error message is issued at that point. A hook is provided for custom
error handling.
Test scenario:
1) create a simple text content element and make a link to some media
elements (both with and without access rights).
2) activate the secure download feature with the following TS:
plugin.tx_dam_tsfemediatag.tag.typolink.jumpurl = 1
plugin.tx_dam_tsfemediatag.tag.typolink.jumpurl.secure = 1
3) view the content. The URL should follow the jumpurl pattern and the
file path should not be visible. If you're not logged in with the proper
FE user, there should be no link at all (nothing new here). Try clicking
on the links. All files should download properly. Now copy the link to
one of the access-protected file and copy it in another browser where
you don't have a FE session. You should get the error message.
I hope this is clear enough, just ask if not ;-)
Notes:
This development was sponsored by the City of Geneva.
Cheers
--
Francois Suter
Cobweb Development Sarl - http://www.cobweb.ch
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 14009.diff
URL: <http://lists.typo3.org/pipermail/typo3-team-dam/attachments/20110214/e4d95faa/attachment.asc>
More information about the TYPO3-team-dam
mailing list