IProperty

Intellectual Property is a full-featured real estate extension for the Joomla! CMS

IPReserve

IPReserve is a reservation extension for IProperty.

IReport

Need to keep track of your IProperty stats? Meet IReport - a reporting tool for IProperty!

Work Force

Work Force is a staff listing extension for the Joomla! CMS. Show off your employees with style!

Report Card

Report Card is a testimonials extension for the Joomla! CMS. What are people saying about your company or product?

UTransport

Ultra Transport is a full-featured vehicle listing extension for the Joomla! CMS

Project Log

Project Log is a project management extension for the Joomla! CMS. The best part is, it's totally free!

Forums

Have pre-sales questions or need support for an existing subscription? Look no further - we have active support forums and pride ourselves on friendly and timely response!

The Thinkery

Not finding what you're looking for? Don't hesitate to contact us!

Before Posting...

Before posting questions in the forums, please be sure to read the FAQs by clicking on the FAQs link in the sidebar product menu. You must be logged in and have a valid subscription to access the SUPPORT FORUMS.
×
Support Policy Notice

As outlined in our Rules section (though never closely followed by our staff!), effective immediately we will no longer be taking time to provide customizations of our products.

Prevent direct acces to files

More
6 years 11 months ago #24471 by kim1984
kim1984 created the topic: Prevent direct acces to files
Hey,
First off all thank you for making this component. Its a really great tool to make projectmanagement available to our clients without programming it from scratch which makes it very expensive for our clients.

I have it installed on several websites and our clients are very pleased with their projectmanagement systems. I found it was easy to change the component to the needs of our clients.

But today i got an email from one of our clients complaining that the project files located at '/media/com_projectlog/docs/' are accesible directly without logging in when you know the url to a file.

If you are logged in and authorised to download/view a file you can save the url to that file and mail it to someone else. This other person can just put the url in their webbrowser and download/view the file without logging in to joomla.

I knew this when i started making the website but i thought this wouldnt be a problem. Because they just shouldnt mail the url to someone that is not authorised to acces it. And guessing the url of a file in the /media/com_projectlog/docs/ directory isnt easy to do for hackers either.

So my question is: Can you suggest a way to prevent this from happening?
Tnx in advance
Kim

Please Log in or Create an account to join the conversation.

More
6 years 11 months ago #24472 by tim
tim replied the topic: Re: Prevent direct acces to files
Hi Kim-- sorry, but no-- these are not meant to be secure files. All your files in a Joomla site are public by design, and they must be public for the webserver to access them.

Keeping these files truly private would require moving them outside the webroot, or you could consider adding an htaccess directive to restrict all access to the directory where ProjectLog files are stored-- but this would require the user authenticating with an Apache user/password, which introduces another level of maintenance.

Please Log in or Create an account to join the conversation.

More
6 years 11 months ago - 6 years 11 months ago #24475 by kim1984
kim1984 replied the topic: Re: Prevent direct acces to files
Hey thanks for your answer.
But i needed to find a solution to this problem anyway to keep my client happy.
So created a workaround for this problem that isnt perfect but it works.

I made an extra view in the component called hiddenfiles. You can find the code in the attached zip file.

If other people run into this problem this is how you can make a workaround:
1. Copy the contents of this zipped file to /components/com_projectlog/views/
2. Create a folder in your websites root (public_html) called 'tempdocs'
3. Open up the file /components/com_projectlog/views/project/tmpl/default.php
4. Search for
$this->doc_path . $d->path
in this file
5. Replace it by
JRoute::_('index.php?option=com_projectlog&view=hiddenfiles&Itemid=253&docid='.$d->id)
I hope this helps

Attachment hiddenfiles_view_v2.zip not found

Attachments:
Last Edit: 6 years 11 months ago by kim1984.

Please Log in or Create an account to join the conversation.

Moderators: vinny
Time to create page: 0.351 seconds