Problems, need help? Have a tip or advice? Post it here.
4 posts Page 1 of 1
I need to protect files from being 'hotlinked' or downloaded by browser a secure folder.

- - -

UPDATE: CmsFu » Functions "protect-file" and "protect-folder" now help with this.

- - -

Old post below:
~ ~ ~
I have tried putting .htaccess file as in http://docs.couchcms.com/concepts/cloak ... s-of-files But it didn't work. Directory listing was disabled, but if you happen to know the link to file, it was downloaded without problems.

Tested all solutions found on web with htaccess. Nothing prevented browser from downloading zip archive from uploads/file/secure.

The only method that worked has been found though:
Through cpanel of hosting, I made a folder protected. I didn't set password, as I remember, just indicated folder as protected.

The file htaccess was automatically created in secure folder with the following content:
AuthType Basic
AuthName "/www/website.com/_uploads/file/secure/"
AuthUserFile /var/www/path-outside-of-root/etc/47056829.passwd
<Limit GET POST>
require valid-user
</Limit>


Cloak_url passes by this restrictions and successfully serves file. This is most important.
Browser can not download nuthin

This is a solved now.

My Documentation, Addons, Functions.
Join COUCH:TALK telegram channel
Hi Trendoman,

I saw this old post of yours.

I need this functionality to protect the files that my users can download from the site, through CouchCMS. My goal is to be able to present individual files to users for download, that only one user can download, files like contracts and invoices. This works through the site: when a user goes through the site, then Couch checks the user permissions and will allow or deny download. But once a user goes around Couch, guesses (or knows) the link and types it in the browser directly, then the file will download even when the user normally would be denied when going through Couch!

So I need to protect the folder where the downloadable files are located, in order to always deny them from all internet users, and only make it possible to access them through Couch.

I was hoping your suggestion would be my solution. It works in Safari but unfortunately, Brave browser (Chrome based) does not check it (or so it seems) and keeps on downloading the file... even when the user does not have the right to do that (in Couch).

Is there a way to completely lock down the downloadable file folder in Couch?

Thanks in advance!
"I have never tried that before, so I think I should definitely be able to do that" - Pippi Longstocking
I found the answer, and it works.

In the folder that must be protected, create an empty .htaccess file.
Type the following text in the .htaccess file:
Code: Select all
Order deny,allow
Deny from all

See for more information this link: https://stackoverflow.com/questions/2679524/block-direct-access-to-a-file-over-http-but-allow-php-script-access.
"I have never tried that before, so I think I should definitely be able to do that" - Pippi Longstocking
I created and published a few funcs (<cms:call 'protect-file' />, <cms:call 'protect-folder' />) that now help me with this.

My Documentation, Addons, Functions.
Join COUCH:TALK telegram channel
4 posts Page 1 of 1
cron