Need a little help with access control to files..
I need to make some files available to staff users of a site.. I have created a page thats only accessible by the staff and used "filetree" (
Obviously the links to the files are not under the access controls of the website.. So knowing the link would allow anyone to access them..
Is mod_setenvif the best way to do this?
Something like..
SetEnvIf Referer https://www.mydomain.com/path/to/page allowedaccess
<directory path="" to="" files="">Order Deny,Allow
Deny from all
Allow from env=allowedaccess</directory>
Or is there a better way?
Thanks..
3 Replies
If there is a better way I would like to hear it but as a start this seems to be working..
1) Make the files subject to the website's access controls, somehow. Depending on how your application stores authentication credentials, Apache might be able to work with it, or you can set up a second set of usernames/passwords (see here
2) Use some sort of secure token for providing access. lighttpd's mod_secdownloadquery string authentication
I don't know of a way to implement this with Apache, but someone's probably done it!
The site is driven by Drupal so is using cookies and as you have noted I didn't want to have a double login.. I tried the "private files" option in Drupal which would have solved it but it doesn't play nicely with the "filetree" module because the files are not "know" to Drupal and so the links are not delivered correctly..
mod-auth-token would be cool to use but since I am not a coder I wouldn't know how to add this to the Drupal filetree module so the URL's would be generated as required..
As usual I am limited by my coding skills so have to make use of whats been created in the open source community..