[TYPO3-dam-devel] RFC #14009: Feature: Enable secure downloads for DAM files
François Suter
fsu-lists at cobweb.ch
Mon Feb 14 20:24:24 CET 2011
Hi,
> Nice improvment! Could you confirm that this is a more secure duplicate
> of 16034 (with a patch by Stan Rolland)?
I wasn't aware of the other feature requests, I answered to the one
opened by a colleague of mine a while ago ;-)
I checked Stan's patch and, yes, my implementation is more secure,
because it hides the path to the file in the URL. Instead it relies on
passing a relation to the tx_dam table and the uid of the target record.
This means that access rights are also checked when the link is
followed. With that it is possible to prevent download by unauthorized
persons if - for example - the link was forwarded to someone else and
the recipient of the link is later stripped of his/her rights.
Of course, total protection would also require to secure the fileadmin
folder with Apache directives, but at least the full URL to the file is
hidden, which makes it unlikely to be downloaded inadvertently and less
easy to reach with bad intentions.
Cheers
--
Francois Suter
Cobweb Development Sarl - http://www.cobweb.ch
More information about the TYPO3-team-dam
mailing list