Skip to main content
Categories
Categories:   All Categories
Suggested keywords
x
New

When I hover the Download button, I see the "real" link to the document. What if url of some document for Registered is sent in the wild ?

Pre-sale questions about Dropfiles
  Pre-sale questions about Dropfiles
W
  woluweb
  Thursday, March 17 2016
  5 Replies
  5.4K Visits
  Subscribe
Hi,

First of all, I must say your extension is very, very impressive :-)

Still, I have a precise question about security of Documents which are not "public" but for "registered" or others.
Let's take an example from your demo site.
When I hover the Download link, I see the "real" link to the document.
Example : http://www.demo-joomunited.com/files/91/Root%20category/38/Document.docx
It means I could send it directly to a third party.

For a Public document, no problem of course.
But how does DropFile manages Ddocuments which are for example restricted to "registered" users ?
Could a registered user just "share the direct link" (or is the link "cloaked" so that it requires to be logged in to be able to download the file).

This is of course important as security.

Txs a lot in advance,

Marc
T
tristan@joomunited
8 years ago
·
#3771
Hi,

Thanks, really appreciated.

About the file access, Dropfiles is using Joomla ACL. If the user is the user group you've defined that corresponding to a category of files he won't be able to reach the file directly. For that he'll need to login of course.
Note in the next version that is coming next week, we'll add an option to restrict access a a single file per user (not just a group).

Cheers,
W
woluweb
8 years ago
·
#3772
Hi Tristian,

Txs for the quick reaction !

I had understood about ACL rights.
My question was a bit different.
Say I have the following document ONLY for registered users :
http://www.demo-joomunited.com/files/91/root%20category/38/document.docx
If this URL appears in "clear", that Registered User could post the url anywhere and share the direct link to the file, so that people who don't even have an account could download the file...

So ACL takes already care for restricting access to the full article, but quid for the direct link of a given document ?

Txs again,

Marc
T
tristan@joomunited
8 years ago
·
#3773
If this URL appears in "clear", that Registered User could post the url anywhere and share the direct link to the file, so that people who don't even have an account could download the file...


No the access is restricted. I confirm that if the user is not logged in with a proper right, he won't be able to download the file even if he have the direct link. This is exactly the same thing when you restrict the access to a Joomla content (an article), the user can have the link to the content but it's still not accessible. This is the advantage of using Joomla native ACL.

Hope it helps.

Cheers,
W
woluweb
8 years ago
·
#3774
That's excellent then ! Really.
(actually, my fear came from your demo site, where the link to the doc looked like a direct link to the file : http://www.demo-joomunited.com/files/91/root%20category/38/document.docx)

I was so excited when I discovered Dropfile yesterday that I have already contacted two of my customers (one using eDocman, the other was willing to have a document management system, but it was not yet implemented).

Maybe we'll meet at the next JoomlaDay Paris ?
That would be nice :-)

Yours,

Marc
T
tristan@joomunited
8 years ago
·
#3775
Great! not sure in Paris, but J&Beyond Barcelona is booked ;)
  • Page :
  • 1
There are no replies made for this post yet.