by
KK » Wed Feb 21, 2018 4:31 am
@potato,
Allow me to try and clear your confusion about securefile and cloak_url. This could also help others facing the same questions.
As you know, allowing visitors the capability of uploading files to your server is always fraught with risk.
The type 'securefile' editable regions tries to mitigate this -
a. by subjecting the uploaded file to rigorous tests based on what extensions, size etc. have been allowed
b. by randomizing the name of the uploaded file
etc.
So, securefile is meant to be used only for *uploading* files securely.
Now comes the reverse direction - i.e. *downloading* the files securely.
When you don't want the visitor to know the location of the file she is downloading (or wish to allow only certain users to download the file etc.), we use the <cms:cloak_url> tag (
http://docs.couchcms.com/concepts/cloaked-links.html).
I'd like to stress one point here -
the file being securely downloaded could be the one we securely uploaded using the type 'securefile' region above
*or* it could be an ordinary file uploaded by a trusted user (admin usually) using type 'file' editable region.
OK, hopefully that would have made clear that securefile is for securely uploading and cloak_url is for securely downloading.
We can now discuss your particular use-case.
You wish to have secured mp3 files available for only registered user.
1. How to upload?
Your choice is between using type 'file' or type 'securefile'.
Since the files will be uploaded to the server by the admins using the admin-panel (as opposed to being submitted from the front-end by visitors), type 'file' is the clear choice. Just make sure to upload the files in the 'uploads/file/secure/' folder.
2. How to download?
You are actually trying to play the files through HTML5 Audio player but that is also downloading.
Since this is to be done securely (not revealing the real name/location of the file and allowing only registered user to do so), there is only one option - use cms:cloak_url
As an example, suppose your type 'file' editable region is named 'my_audio', the following would play the file without revealing its location -
- Code: Select all
<audio controls="controls">
Your browser does not support the <code>audio</code> element.
<source src="<cms:cloak_url link=my_audio />" type="audio/mpeg">
</audio>
Assuming you are using 'extended users' module for user accounts, for further enforcing that only the current logged in user is able to play/download the files, first make sure that the page displaying the player above is access-controlled (i.e. allowing in only registered users) and then use the 'user_id' parameter of <cms:cloak_url> as follows
- Code: Select all
<audio controls="controls">
Your browser does not support the <code>audio</code> element.
<source src="<cms:cloak_url link=my_audio user_id=k_extended_user_id />" type="audio/mpeg">
</audio>
@trendoman,
Using 'cms:securefile_link' would reveal the real path of the file (in the HTML source) hence won't be an option in this use-case.
Hope this helps.