[TYPO3-dam-devel] RFC #14009: Feature: Enable secure downloads for DAM files

François Suter fsu-lists at cobweb.ch
Wed Feb 23 12:33:29 CET 2011 

REMINDER

> This is an SVN patch request.
>
> Type: New feature
>
> Bugtracker references:
> http://bugs.typo3.org/view.php?id=14009
>
> Branches:
> Trunk
>
> Problem:
> The DAM implements its own typolink method for the media tag (in
> binding/mediatag/class.tx_dam_tsfemediatag.php). This "variant" of
> typolink does not fully support secure downloads via the Jump URL
> mechanism.
>
> Solution:
> The attached patch implements the full secure download functionality.
> This entails two parts:
>
> 1) modifying tx_dam_tsfemediatag::typoLink() to support secure download
> as could be expected from the TypoScript typolink properties (i.e.
> setting the jumpurl.secure property to 1). The implementation I propose
> makes use of the locationData GET variable to pass DAM-related
> information in the URL. This way it is not necessary to pass the path to
> the file (which jumpurl normally does) and thus reveal it to the wide
> world.
>
> 2) calculating the jumpurl based on the locationData GET variable so
> that the file can be downloaded. This is achieved by using the
> checkDataSubmission hook from tslib_fe and calling a method which I
> added to tx_dam_tsfe. This method fetches the DAM record corresponding
> to the information from the locationData. User rights are taken into
> account during the call to tx_dam::media_getByUid(), which means that
> the jumpurl will be empty if the user doesn't have rights to the file.
> An error message is issued at that point. A hook is provided for custom
> error handling.
>
> Test scenario:
> 1) create a simple text content element and make a link to some media
> elements (both with and without access rights).
>
> 2) activate the secure download feature with the following TS:
>
> plugin.tx_dam_tsfemediatag.tag.typolink.jumpurl = 1
> plugin.tx_dam_tsfemediatag.tag.typolink.jumpurl.secure = 1
>
> 3) view the content. The URL should follow the jumpurl pattern and the
> file path should not be visible. If you're not logged in with the proper
> FE user, there should be no link at all (nothing new here). Try clicking
> on the links. All files should download properly. Now copy the link to
> one of the access-protected file and copy it in another browser where
> you don't have a FE session. You should get the error message.
>
> I hope this is clear enough, just ask if not ;-)
>
> Notes:
> This development was sponsored by the City of Geneva.
>
> Cheers
>


-- 

Francois Suter
Cobweb Development Sarl - http://www.cobweb.ch

More information about the TYPO3-team-dam mailing list