secure document download help needed

Replies to This Discussion

Permalink Reply by Martin Rasser on May 17, 2010 at 11:24am

remository might be worth checking out.

Permalink Reply by Jamie Derrick on May 17, 2010 at 2:46pm

Thank you for so much for your your replies.
This is a completely custom development.
I am well aware of the getUser method but the part thats baffling me is this:
If someone who has the right to download the file is given the link to the file in this way, what is to stop them from passing it to someone else? I need to make sure that only the authorised user has access to the file, even if they pass the link on to someone else.

Permalink Reply by Matt Thomson on May 17, 2010 at 4:21pm

I know of 2 methods to get round this:

1.)Store the files in (for example) media/restricted_downloads, and put a .htaccess file in there that denys from all. Then once you have done you acl, read the file, and send it to the browser, eg something like:

header('Content-type: application/zip');
header('Content-Disposition: attachment; filename="'.$filename.'"');
readfile($filePath);
flush();

2.)Same thing, but store the files above the webroot.

Permalink Reply by Jamie Derrick on May 17, 2010 at 4:52pm

Genius! I knew it would have something to do with that head content thing. Thanks mate, I'll give it a go right a way

Matt Thomson said:

I know of 2 methods to get round this:

1.)Store the files in (for example) media/restricted_downloads, and put a .htaccess file in there that denys from all. Then once you have done you acl, read the file, and send it to the browser, eg something like:

header('Content-type: application/zip');
header('Content-Disposition: attachment; filename="'.$filename.'"');
readfile($filePath);
flush();

2.)Same thing, but store the files above the webroot.

Permalink Reply by Alain Rivest on May 17, 2010 at 5:04pm

I think it would be easier to store the file directly in the database. Your component check if that user has the right to download the file and send it to the browser. That way you don't have to mess with a htaccess file or a directory outside your joomla site.

Permalink Reply by Matt Thomson on May 17, 2010 at 6:33pm

I think there is a scalability problem with files in the database. I back up my site files manually once a month or so, but I have my database emailed to me once every week. I can do this becuase my database is only 10MB. If my database has 100 files in it, and is 500MB, I can't easily back up the database.

Permalink Reply by Amy Stephen on May 17, 2010 at 6:44pm

Great question - @Matt Thomson - thanks for that answer. MUCH appreciated!

Permalink Reply by Matt Thomson on May 17, 2010 at 8:54pm

I made my own little component to download files from a secure location (http://www.ignitejoomlaextensions.com/component/option,com_idownloa...), it is only one file (no admin interface, but if you want, I can post it somewhere.

Permalink Reply by Amy Stephen on May 17, 2010 at 9:30pm

Yes! Thanks! :)

Matt Thomson said:

I made my own little component to download files from a secure location (http://www.ignitejoomlaextensions.com/component/option,com_idownloa...), it is only one file (no admin interface, but if you want, I can post it somewhere.

Permalink Reply by Matt Thomson on May 17, 2010 at 10:35pm

I attached the file (with vars specific to my server removed).

Attachments:

• idownloader.txt, 3 KB

Permalink Reply by Jamie Derrick on May 18, 2010 at 3:20am

I get the idea - don't store files in the database! (I wasn't going to anyway)

Permalink Reply by Jamie Derrick on May 18, 2010 at 3:23am

Also, can I just add, this is the first time I have asked a development question in ATAAW and I am incredibly impressed at the time it has taken to get some really good quality responses. Massive thanks to Amy for putting this site together and everyone else for your excellent answers to my question.

...At least I think it was Amy who put it together, let me know if I'm wrong!

• ‹ Previous
• 1
• 2
• Next ›
• Page