Per File access Control on Drupal 7 Content - drupal-7

Is there a way to restrict content download "Restricting Anonymous Users From Downloading Files"
Right now, once the user is logged in and he is able to obtain the URL to a path, he can re-download it again even if he logs off.
We've tried
-Rules Module and Content_Access Module to no avail.
it only supports:
Basic Rules per node
There's no
Basic Rules per Content (i.e. videos)

You can control access to files via Drupal only if both conditions are met:
private mode is on (see /admin/config/media/file-system)
Download folder is outside web server access, i.e. file upload folder contents are not accessible from the web.

See hook hook_file_download() which is called for every private file.
Control access to private file downloads and specify HTTP headers.
This hook allows modules enforce permissions on file downloads when the private file download method is selected. Modules can also provide headers to specify information like the file's name or MIME type.

Related

How can I dynamically use images outside of my reactjs project?

I am developing a client-only ReactJS application (only for local usage) where I need to save and load images by filepaths (URL and local file system).
The paths are stored in the local storage and images from URLs can be used. Anyway, local images cannot since ReactJS is using the project directory and I cannot escape it.
Is there the possibility to open files with absolute path from the local file system or can I/do I have to upload it in the project directory?
Are you running this through a browser? If so Javascript on browsers does not yet have the ability to access local file systems. I haven't tried this but you could run Node locally and use ExpressJs for client-server communication.
As stated here:
you'll need two pieces:
A browser piece, which does the UI with the user.
A Node piece, which runs on the user's machine (and thus can access the file system) and which the browser piece uses to do the actual file operations.
Probably the easiest way for the pieces to interact would be HTTP, which you can trivially support using ExpressJS.
So for instance, if the user wants to delete a file:
User clicks something to say "delete this file"
Browser JavaScript sends the command to the Node process over HTTP via ajax
Node process does the deletion and reports success/failure
Browser JavaScript displays the result

only logged in users can play audio from our server

We have made a silverlight application where users can preview audio files from their browser from the telerik radmediaplayer control.
The files are on a webserver and anyone who sniffs the trafic can download the file.
We would like to prevent non-logged-in users from accessing/downloading these files.
Besides providing the application with some sort of temporary valid url and implementing a custom httphandler... what are our options?
It's not too big of a problem if our customers can download the files, we just don't want the rest of the world to also have access.
Any ideas would be more than welcome!
[Update]
The only thing I can come up with is:
host the files in a non-public folder
if a user requests to prelisten a file, copy it to a public folder under a new name ([guid].mp3) and return it's url
every x minutes clean the public folder.
Don't let the web server serve up the files straight out of a directory. Put part of your application in front, and left one of your server-side scripts serve up these files. Keep the raw audio files out of the web root.
For instance, your client-side application would access files like so:
http://someserver/yourscript?audio_asset_id=12345
The code at yourscript would verify the session data, ensuring that a user is logged in, would then go figure out the real path to asset ID 12345, and echo its contents to the client. Don't forget to include the proper Content-Type header as well.
Once the accessing of these assets is under your control, you can implement whatever security measures you like. If your sessions area already pretty well safe-guarded, this should be fine. I would also recommend implementing sane quotas. If you get 100 requests on an asset using the same session ID from multiple IP addresses... something isn't right.

CakePHP: Access private folders after authentification

I'm looking for a CakePHP best practice to serve folders/files to clients after they are authentificated. I know it's simpler to use a .htpasswd/.htaccess based solution but i wonder for a better way.
What is it for?
I want to create a client-area where authenticated clients can see contents of there private folder(s). E.g. to test some static html templates before CMS Integration or upload some documents like commented screenshots or pdf files.
A usecase could be:
Create a new client (only by admin)
Generate Login credentials for different user of the same client
Create a new client folder (only by admin)
Upload some static html to the client folder
After login the client can access the folder and view the html
After logout access to the static files is restricted
Any suggestions?
Do you know about CakePHP's "Media Views"? I think that you might be able to do what you want with them.
quick & dirty example...
public function serve($filename = null) {
if($filename && $this->Auth->user()) {
$this->viewClass = 'Media';
$params = array(
'id' => $filename, // full filename
'name' => 'example',
'download' => FALSE, // true, then you get a download box
'extension' => get_the_file_extension($filename),
'path' => APP . 'outside_webroot_dir' . DS
);
$this->set($params);
} else {
// redirect to login or something
}
}
I think the easiest way is to use a database structure for this.
The files are stored on the server anyway, where does not matter.
This is how you do:
Create a table in the database called DataFile (due "File" causes problems with the Cake "File" class). Fields should be something like: id, data_folder_id, name, size, mime_type etc. Use what fits your needs.
Create a table in the database call DataFileFolder. Fields here: id, parent_id, name, visible. Same as above, whatever fits your needs.
Create an association key in the client table or a whole assocation table if needed. (For example: one client and 50 folders in different places). Be aware of the assocation you create. If you use Client->DataFolder the client has automatically access to all files within that folder.
Bake models and a FileController with an index frontend method and admin actions as well as views.
Optimize admin methods for creating either a file or a folder record.
The index method for the frontend has one parameter which represents the folder id. You output each an every folder and file in the folder starting with the first the user is allowed to access. You could also just ouput a list of folders the user is allowed to access in case these folders are on different levels of the new "file manager". You have to check permission on each an every new page call for the given folder id. But that's clear, i think.
Implement a download method for the files based on the media view mentioned above. This should be it.
I think this is the best and easiest way to control the access for such folders.
Due there are some limitations if it is not your server by post_max_size etc. you should maybe think about an external script (or write it on your own if you have the time ;)) to load those file over ftp.
You could also think about a folder accessible on your ftp to upload files. In the "new file" dialog in backend this folder will be outputted and you can include the file into the system by just copying it (via PHP of course). Advantage: only one upload (though it only be two if you are using the ftp upload method mentioned before this).
If you are just into sharing files with clients and those clients are not going to have access on anything else based in your cakephp project just use ftp with a folder for each client. Faster and easier to handle because you can send them urls like "ftp://username:password#yourserver.com" and done. They are logged in, they can view the html files due they are accessing the ftp via the browser and it should be noob safe.
Hope anything of this will feed your needs :)
Greetings
func0der

System.IO.FileInfo throwing access is denied exception to a local file

I created a sample Silverlight Web project
and I am getting 'Access is denied' when I do this:
string fileName = "map.gif";
FileInfo fileInfo = new FileInfo(fileName);
How can I give the web project access to this folder/file?
I added the image into my project, really drawing a blank here....
You don't access files you've placed in the project using the FileInfo object. Instead you create a Uri to access it.
Its not clear from your question which project you've place the file in. If you have placed it in the Silverlight project then it ought to end up as content in the Xap. In which case you can acquire StreamResourceInfo for it using:-
StreamResourceInfo gifContentInfo = Application.GetResourceStream(new Uri("map.gif", UriKind.Relative));
Now you can get to the file content with:-
Stream gifStream = gifContentInfo.Stream;
On the other hand if you have placed the file in the web project it will be a standard static file in the web site. Hence you will need to do the typical WebClient download to fetch it.
I take it you are going to this trouble because its a Gif file; you are aware that they are not supported as an image.
You can't use the filesystem in Silverlight outside of Isolated Storage
you need to give file access to the asp.net user
check this out:
http://www.codeproject.com/KB/aspnet/Ahmed_Kader.aspx
Or use the special folder which asp.net provides for you
... APP_DATA
that should have the rights you need...
I am assuming you are trying to access a file in the local filesystem.
If so, you cannot access files like that. Silverlight does not have the access priveleges u expect. If you want to add a file to your Silverlight Application at runtime. You will need to have Silverlight 4, running Out of the Browser with Elevated priveleges. There are certain limitations to this too. You can only access files in Special Folders like My Documents, Pictures, Music etc. For more info about access files this way. You can look at John's tutorials on Silverlight 4 elevated priveleges in Channel 9 MSDN.
I would doubt your FileInfo usage too. Here is a sample code to get file data using a simple drag and drop feature.
private void list_Drop(object sender, DragEventArgs e)
{
FileInfo[] files = (FileInfo[])e.Data.GetData(DataFormats.FileDrop);
for(int i=0;i<files.Length;i++)
textblock.Text += files[i].Name;
}
You can get the properties of the file such as "Name". You wil not hit any access denied errors. You cannot access properties like "DirectoryName", "FullName" etc. The reason being they are declared as SecurityCritical properties for Security reasons. The advantage of elevated permissions is that you can get to local file system (special folders) to access the FullName and DirectoryName properties without any exceptions.
Hope this helps

Change owner of file uploaded in server

I have trying to overwrite or perform some file operation to the files uploaded in a webserver.
Previously I have uploaded the files from joomla extension. It defined its owner as 99. Without changing its owner it my login name i am unable to perform file operation using ftp and cpanel.
what can be done?
You could enable the FTP layer of Joomla.
It does depend a bit on how your hosting sets permissions (whether they use ACL's, etc), but the FTP layer of Joomla is designed to get around exactly this issue.
Documentation for this feature is here:
http://help.joomla.org/content/view/1941/302/1/2/

Resources