Discussion:
[TYPO3] access to files only for authenticated frontend users
Günter Hipler
2008-01-22 17:38:03 UTC
Permalink
Hello all,

I'm looking for a solution to restrict access to files only for
authenticated Typo3 frontend users.

Scenario:
- users have to authenticate themselves as authorized frontend users
(use of newloginbox), so they can see on restricted Typo3 pages a list
of URLs to files they are allowed to access. Users shouldn't be forced
to authenticate once more against the Webserver (Apache) after login as
frontend user in case they access one of the files.
- But I have to use means of Apache authentication to prevent access
to these files beside the "Typo3 way" - or are there other possibilities?

Some weeks ago I think I have seen the use of an extension which seems
to prevent the access to files beside Typo3 without authentication, but
unfortunately I can't find it again.

Any ideas or hints are welcome!

G?nter

Informationsverbund Deutschschweiz
c/o Universitaetsbibliothek Basel
Schoenbeinstrasse 18-20
CH-4056 Basel, Switzerland
Tel.: + 41 (0)61 267 31 12 Fax: ++41 61 267 3103
guenter.hipler at unibas.ch
http://www.informationsverbund.ch
Pascal Cramer
2008-01-22 19:49:23 UTC
Permalink
G?nter,
I guess you're looking for 'FHT Download Repository' ,key: fht_download
It allows you to apply authentication for downloading to directories.

Pascal
Post by Günter Hipler
Hello all,
I'm looking for a solution to restrict access to files only for
authenticated Typo3 frontend users.
- users have to authenticate themselves as authorized frontend users
(use of newloginbox), so they can see on restricted Typo3 pages a list
of URLs to files they are allowed to access. Users shouldn't be forced
to authenticate once more against the Webserver (Apache) after login as
frontend user in case they access one of the files.
- But I have to use means of Apache authentication to prevent access to
these files beside the "Typo3 way" - or are there other possibilities?
Some weeks ago I think I have seen the use of an extension which seems
to prevent the access to files beside Typo3 without authentication, but
unfortunately I can't find it again.
Any ideas or hints are welcome!
G?nter
Informationsverbund Deutschschweiz
c/o Universitaetsbibliothek Basel
Schoenbeinstrasse 18-20
CH-4056 Basel, Switzerland
Tel.: + 41 (0)61 267 31 12 Fax: ++41 61 267 3103
guenter.hipler at unibas.ch
http://www.informationsverbund.ch
Günter Hipler
2008-01-24 09:28:13 UTC
Permalink
Hi Pascal,

thanks for your answer!

The night before yesterday I looked around a little bit more and found
what I have seen in november last year. It was the extension
naw_securedl
(http://typo3.org/extensions/repository/view/naw_securedl/0.2.5/)

At the first glimpse it looks fine, because you are able to protect file
resources by apache means and the extension has implemented a way to
pass the apache protection.

But it has a great disadvantage: People who accessed a protected file
ressource might persist this link so google is able to put it up in his
index. Looking for naw-secured with google, you will find links like

http://www.et-inf.uni-hannover.de/typo3conf/ext/naw_securedl/secure.php?u=0&file=fileadmin/institut/_temp_/Herbert-Kind-Preis.pdf&t=1200465648&hash=220ec81cf050c7c1e438acf438765b3d
but the direct access is blocked by apache
http://www.et-inf.uni-hannover.de/fileadmin/institut/_temp_/Herbert-Kind-Preis.pdf

For me that's a hole.

I downloaded your recommended extension too and played a little bit
around with it. But I didn't have the clue (perhaps I hadn't enough
time) what's the sense of it. Unfortunately there is no documentation.

G?nter
Post by Pascal Cramer
G?nter,
I guess you're looking for 'FHT Download Repository' ,key: fht_download
It allows you to apply authentication for downloading to directories.
Pascal
Post by Günter Hipler
Hello all,
I'm looking for a solution to restrict access to files only for
authenticated Typo3 frontend users.
- users have to authenticate themselves as authorized frontend users
(use of newloginbox), so they can see on restricted Typo3 pages a list
of URLs to files they are allowed to access. Users shouldn't be forced
to authenticate once more against the Webserver (Apache) after login
as frontend user in case they access one of the files.
- But I have to use means of Apache authentication to prevent access
to these files beside the "Typo3 way" - or are there other possibilities?
Some weeks ago I think I have seen the use of an extension which seems
to prevent the access to files beside Typo3 without authentication,
but unfortunately I can't find it again.
Any ideas or hints are welcome!
G?nter
Informationsverbund Deutschschweiz
c/o Universitaetsbibliothek Basel
Schoenbeinstrasse 18-20
CH-4056 Basel, Switzerland
Tel.: + 41 (0)61 267 31 12 Fax: ++41 61 267 3103
guenter.hipler at unibas.ch
http://www.informationsverbund.ch
Pascal Cramer
2008-01-24 10:56:07 UTC
Permalink
That's why I use fht_download: the authorisation is handled by TYPO3, not
Apache. This way you cna manage permissions from within the systeem and you are
not dependend on webserver/apache settings.

Anyways, the extension is very basic (I don't know your knowledge level of TYPO
so I might go to fast or slow in this).
After installing using the exentension manager, add a sysfolder which will
contain your downloads. Create a new record on that page of the type 'FHT
Download: Static File' and select or upload the file you want to present as
download, uncheck 'hide', then save and close.

Now you can add the plugin 'FHT download: Repository' to the page. In the
plugin, at 'Startingpoint' select the sysfolder you just created.
Now TYPO will show the download you placed in the sysfolder.
In order to protect the download, got to 'General options (continued) | Access:'
and select the fe_user group you want to have access to the download.
When the user requests the download, TYPO will check the authorisation.

Hope this helps,
Pascal
Post by Günter Hipler
Hi Pascal,
thanks for your answer!
The night before yesterday I looked around a little bit more and found
what I have seen in november last year. It was the extension
naw_securedl
(http://typo3.org/extensions/repository/view/naw_securedl/0.2.5/)
At the first glimpse it looks fine, because you are able to protect file
resources by apache means and the extension has implemented a way to
pass the apache protection.
But it has a great disadvantage: People who accessed a protected file
ressource might persist this link so google is able to put it up in his
index. Looking for naw-secured with google, you will find links like
http://www.et-inf.uni-hannover.de/typo3conf/ext/naw_securedl/secure.php?u=0&file=fileadmin/institut/_temp_/Herbert-Kind-Preis.pdf&t=1200465648&hash=220ec81cf050c7c1e438acf438765b3d
but the direct access is blocked by apache
http://www.et-inf.uni-hannover.de/fileadmin/institut/_temp_/Herbert-Kind-Preis.pdf
For me that's a hole.
I downloaded your recommended extension too and played a little bit
around with it. But I didn't have the clue (perhaps I hadn't enough
time) what's the sense of it. Unfortunately there is no documentation.
G?nter
Post by Pascal Cramer
G?nter,
I guess you're looking for 'FHT Download Repository' ,key: fht_download
It allows you to apply authentication for downloading to directories.
Pascal
Post by Günter Hipler
Hello all,
I'm looking for a solution to restrict access to files only for
authenticated Typo3 frontend users.
- users have to authenticate themselves as authorized frontend users
(use of newloginbox), so they can see on restricted Typo3 pages a
list of URLs to files they are allowed to access. Users shouldn't be
forced to authenticate once more against the Webserver (Apache) after
login as frontend user in case they access one of the files.
- But I have to use means of Apache authentication to prevent access
to these files beside the "Typo3 way" - or are there other
possibilities?
Some weeks ago I think I have seen the use of an extension which
seems to prevent the access to files beside Typo3 without
authentication, but unfortunately I can't find it again.
Any ideas or hints are welcome!
G?nter
Informationsverbund Deutschschweiz
c/o Universitaetsbibliothek Basel
Schoenbeinstrasse 18-20
CH-4056 Basel, Switzerland
Tel.: + 41 (0)61 267 31 12 Fax: ++41 61 267 3103
guenter.hipler at unibas.ch
http://www.informationsverbund.ch
Continue reading on narkive:
Loading...