|
Back
Protecting Downloads from Anonymous Users
This note is in response to a query on the PN bulletin board: http://forums.postnuke.com/phpBB2/viewtopic.php?t=2804
This is an interesting one. Postnuke allows you to list downloadable files and categorise them in the Downloads module. The modules supports the permissions system so that various categories can be hidden from various groups of users, most often from anonymous users.
The problem is that the permissions only protects the categorised links to the files, it does not protect the files themselves. Once someone knows the URL to one of your downloadable files, then they can link direct to it, completely bypassing the Downloads module itself.
The hack described here will get around that. It allows you to place your files in a directory protected from the Web using '.htaccess' and forces the user to to go through the Downloads module to get to those files. Before I go any further, I must stress that this is an unofficial hack and I have only tested it on Redhat 7.2/Apache 1.3 and PostNuke .721 (SE). I have a hunch it may not work under a Windows server, but if you find otherwise then please let me know.
In addition to the security protection, this hack provides the following bugfixes/additions:
- Validate Links now works for site-relative links (e.g. downloads/file.pdf rather than http://yoursite/downloads/file.pdf)
- Icons are available for a number of common file types.
- Downloads can be linked to using the download name instead of an ID.
- Most of the changes are in additional files, making upgrades much easier.
There are no database changes to this hack, so if it does not work for you, then simply copy your original files back. Here are the steps for installing the hack:
- Back up or rename your original Downloads module (modules/Downloads/ directory).
- Unzip the archive to the modules/ directory.
- Protect your downloadable files using ".htaccess".
If your downloadable files are stored in directories under "downloads/" then protect the top-level "downloads" directory with a .htaccess file containing something like the following:
.htaccess:
Order allow,deny
deny from all
Now downloads that consist of a full URL (e.g. http://anysite/downloads/file.pdf) will be linked in the normal way. This means the URL of the file will be sent to the client browser and the browser will attempt to fetch them. If it happens to be one of the protected files that it links to, then you should get a "403 Forbidden" response. But if the file is URL is entered as a site-relative URL (e.g. downloads/file.pdf) then the Downloads module will deliver the file to the browser directly. You can then use Permissions to determine who gets access to which files.
As a bonus, you can link to any file in the downloads using the name (the title) as well as its ID. This makes creating content a lot easier:
e.g. modules.php?op=modload&name=Downloads&file=index?req=getitname&filename=myfile.pdf
Note that the 'filename' parameter is actually the download title, not the filename.
Another little trick you can do here is to fully support a user right-clicking on the link and choosing 'save as'. By default the file will save as 'module.php' or 'module.pdf'. To fool the browser into getting the right name, put the file name into the URL after 'module.php', like this:
modules.php/myfile.pdf?op=modload&name=Downloads&file=index?req=getitname&filename=myfile.pdf
Now you can allow a user to click directly on the link to open the file, or right-click and save to save the file using the correct name.
It just remains to give you the download archive: Downloads721academe121102.zip (old)
Here is a later version with some further fixes: Downloads721academe161102.zip (old)
Further fixes: Downloads721academe070203.zip
Have fun!
Last updated:
Wednesday, 28-May-2008 16:14:19 BST
|
