permissions for uploaded media

27 views
Skip to first unread message

Maik

unread,
Jan 22, 2013, 4:20:57 AM1/22/13
to habari...@googlegroups.com
Hi group,

I have made some posts that only authenticated users can see and I'd like to attach a simple txt file to one of those posts.
If I upload a media file with the Media Silo 1.0.1, then the file is available to everyone knowing the link, since it is directly served by the webserver without involving habari access-control mechanisms.

Is the a way - any way - that uploaded / attached media has the same access restrictions as the posts they're in?

Regards
Maik

Michael C. Harris

unread,
Jan 22, 2013, 6:39:24 AM1/22/13
to habari...@googlegroups.com
As it's the most efficient thing to do, the recommended server configuration for Habari causes static files to be served directly by the web server; Habari isn't involved at all. It is possible to change the server configuration, and with a plugin, do all static file processing through PHP/Habari. 

The hard bit would be matching the permissions on the file with the permissions on a post. You could do something like append the post id to the file name on upload, then check the permissions on the post when requesting the file. 

In short, possible but not trivial, and would require some programming.  




--
Michael C. Harris
IRC: michaeltwofish #habari

Les Henderson

unread,
Jan 22, 2013, 2:59:59 PM1/22/13
to habari...@googlegroups.com
Just a less technical thought here.

Let's say you encrypt the text file using http://howto.cnet.com/8301-11310_39-57449365-285/how-to-encrypt-selected-text-and-entire-text-files-with-notepad/ and then make the password only available on your secure post.

Owen Winkler

unread,
Jan 22, 2013, 4:04:36 PM1/22/13
to habari...@googlegroups.com
On 1/22/2013 4:20 AM, Maik wrote:
>
> Is the a way - any way - that uploaded / attached media has the same
> access restrictions as the posts they're in?

I've written a plugin that should accomplish this.

See:
https://github.com/ringmaster/secretfile

Install and activate the plugin. Create a post. Find a file in the
Habari Silo to insert as a link into the post. Choose the new menu
option "insert secret_link" from the menu under that file. A shorttag
will appear in the editor. Save the post.

The shorttag that is created will be rendered as a link by Habari when
the post is displayed to a user. When the user clicks on the link, the
selected file downloads. The file streams through PHP, so there is no
direct access to the file. The trade-off here is efficiency for security.

Displaying the link in the post saves a value to that user's session.
As a result, the user must visit the post immediately prior to
attempting the download. If the user attempts to go directly to the
download URL without visiting the post, they will first be redirected to
the post. If they are not logged in, it's possible that the post will
"not exist" for them, and they will instead be directed to the home
page. If permissions prevent the user from viewing the post, they will
not be able to download the file.

Currently, the plugin only works with the Habari Silo. There were some
issues with other silos and the information they return being incomplete
for the purpose of this plugin. Hopefully this will be corrected.

Owen

Reply all
Reply to author
Forward
0 new messages