Hi folks!
For a small e-learning website I needed some form of extra-protection and here's why: each student is an "extended user", which also is required to login in order to access his page with assignments and evaluation. But assuming that somehow, intentionally or not, the links - generated with "cloak_url" - for downloading files are "leaked", any authenticated user can download other's files. So I needed something based on user id (actually k_extended_user_id), which resulted in the following mod:
Code: Select all
<cms:pages masterpage=k_user_template id=k_user_id >
   <cms:show_securefile 'evaluation' >
      <a href="<cms:cloak_url link=file_id user_id=k_extended_user_id access_level='2' prompt_login='1' />">Download your evaluation</a>
   </cms:show_securefile>
</cms:pages>

Please note the new parameter in cloak_url line, user_id=k_extended_user_id. If this parameter is present, ONLY authenticated user X can download X's files. If user X tries to download Y's files (assuming he/she somehow knows the links) will be redirected to Couch's default "Acces denied" page. If the parameter is missing, ANY authenticated user can download anyone's files, if the links are known.

In order to install this mod you will have to extract the archive to Couch main folder.
Please note!!!:
********************************************************************************************************
• backup existing "tags.php", "download.php" and "auth/auth.php" before replacing them with the modded files;
• I only tested it - for about 1 week, with no glitches - in Couch 2.1 beta;
********************************************************************************************************

Best regards,
Nea Pandele

Attachments