The following warnings occurred:
Warning [2] Undefined variable $unreadreports - Line: 26 - File: global.php(961) : eval()'d code PHP 8.2.25 (Linux)
File Line Function
/global.php(961) : eval()'d code 26 errorHandler->error
/global.php 961 eval
/printthread.php 16 require_once



UserSpice
Can I protect access to non-php files? - Printable Version

+- UserSpice (https://userspice.com/forums)
+-- Forum: Miscellaneous (https://userspice.com/forums/forumdisplay.php?fid=28)
+--- Forum: Off-topic Discussions (https://userspice.com/forums/forumdisplay.php?fid=10)
+--- Thread: Can I protect access to non-php files? (/showthread.php?tid=1006)



Can I protect access to non-php files? - WebAIFHS - 03-17-2018

This is a real newbie question but can't find an answer maybe there isn't one. With UserSpice I can manage access to php pages but can I manage access to non-php pages? On the website we have data files/files (pdf, xls...) that are in the "private" password protected folders that are set up by the hosting system and are accessed by a single ID/password. This files are to be accessed by the members only not by "guests" from the "public" area. The requirement is that each member has a unique ID/password which is why I'm investigating UserSpice. If I remove the host's protection how do I implement access control to these files using UserSpice or is it not possible?

Thanks in advance
Nello Ostacchini
Webmaster Anglo-Italian Family History Society


Can I protect access to non-php files? - Brandin - 03-17-2018

Hi Nello,

Since you can't use the securePage function on Non-PHP files, I'd have to say no. T he only thing I could recommend is you hash the file names or something and have them only accessible from a central page within UserSpice. There might be a method in which you can have a single HTTP Authentication that is posted by the PHP Script so only that script has access to grab the file.

Brandin.


Can I protect access to non-php files? - WebAIFHS - 03-21-2018

Thanks Brandin and sorry for the delay in responding - the email was in the spam folder and I've only just seen it. Your reply confirms what I suspected. Your hash suggestion is something that I already use in some areas of the site so I could extend its use. The Excel files are read/search/displayed using the PHPExcel class. My concern is that if the url of the data folder is revealed then the data is directly accessible and can be downloaded. Hashing the path and accessing the files via a single interface would be a solution.
I don't understand what you mean by HTTP Authentication but I'll research it and see if that provides a solution
Regards
Nello


Can I protect access to non-php files? - Brandin - 03-21-2018

Another thing you can do is have the files in a non-publicly accessible area, then on request, generate a unique download link for that file? You can then use cron jobs to delete the files whenever the cron job runs. You'd need to do some research on copying, moving, etc files on a PHP request though.