fritzmg / contao-file-access Goto Github PK

View Code? Open in Web Editor NEW

8.0 2.0 1.0 88 KB

Contao extension that allows file access restrictions for frontend users.

License: GNU Lesser General Public License v3.0

PHP 100.00%

contao contao-module

contao-file-access's Introduction

Contao File Access

Contao extension to allow direct file access to protected files for logged in front end users.

Usage

After installing this extension, you will have the ability to allow members to access files, that are not made public. Simply edit a folder and enable the allowed member groups. If you select none, the file will not be accessible in general (but can still be accessed via the download content element for example). Users will have access to files, if they are allowed to access any parent folder, i.e. each folder inherits the member group access setting.

Since version 1.1.0 the script generates a regular Contao 401 page when a file is accessed without sufficient permissions (403 for older Contao versions). Thus you are able to do the following:

Create a page of the type 401 Not authenticated in your site structure with no redirect setting.
Create a login module with no redirect setting.
Add this login module to the 401 Not authenticated page.

Now, when a user which has not logged in yet opens the link to a file, he will be presented with the login form instead. After he logged in, he will be "redirected back" to the file again (there is no redirect happening actually, the user stays on the same URL).

Responses

If a file is not present in the database of the file system, a 404 response is generated.
If none of the parent folders of a file have any member groups set, a 404 response is generated.
If the user is not logged in, a 401 response is generated in Contao 4.6 and up, otherwise a 403 response is generated.
If the user is logged in and he does not have access to any of the parent folders, a 403 reponse is generated.

User Homes

Since version 2.3.0 you are also able to grant front end users access to the files in their user home directory in the settings of the member.

Protect Resized Images

Since version 2.4.0 it is possible to also automatically protect any resized images (thumbnails) of protected files which would otherwise be publicly available under assets/images. You can enable this feature in your config:

# config/config.yaml
contao_file_access:
    protect_resized_images: true

Note that this will however put additional load on your application as all requests to any resized protected image must be processed by the application.

Also note that due to technical limitations you will always have access to these images (i.e. see these images) if you are logged into the back end in your current browser session.

Important Notes

Since this access restriction is done via PHP, the file is also sent to the client via PHP. This means that the max_execution_time needs to be sufficiently large, so that any file can be transferred to the client before the script is terminated. Thus you should be aware that problems can occur if a file is either very large or the client's connection to the server is very slow, or both. The script tries to disable the max_execution_time, though there is no guarantee that this will work. Also there can be other timeouts in the webserver.

If you did not enable protect_resized_images (see above) and you use thumbnails of protected images, the URL to these thumbnails can still be accessed by anyone.

Acknowledgements

Development funded by KASTNER and ieQ-systems GmbH & Co. KG.

contao-file-access's People

Contributors

Stargazers

Watchers

Forkers

zonky2

contao-file-access's Issues

does not work on Safari

0 bytes are sent

Issue with recursive access check

If you edit a protected sub folder and simply save without changing anything, the folder's protected status will be set to 1. Which in turn means it will now be detected as protected during the file access check and cannot be viewed anymore - even if you have the rights to do so from the parent folder.

Funktioniert nicht mit .php Dateien

Hallöchen,

bei einer aktuellen Contao 4.9.13 Installation versuchen wir gerade eine PHP-Datei ausführen zu lassen, aber nur für bestimmte, eingeloggte Mitglieder. Das Ganze funktioniert prima mit dem Insert Tag {{file}}, aber sobald wir euer Plugin installieren und einstellen, kommt bei Aufruf der Seite / PHP-Datei einfach nur "File not found."
Bei den meisten anderen Dateien, mit denen es wir probiert haben, (jpg, gif, png) funktioniert es prima. Ist das so gewollt, bzw. wie bekommen wir das gleiche Ergebnis mit .php Dateien hin?

MfG

401 Unauthorized doesn't work with 401 page type

Hi there,

I just upgraded a client to Contao 4.13 and it seems that instead of Contao's 401 page type handling this exception as it used to, now we just get a generic "Oops! An Error Occurred. The server returned a "401 Unauthorized" type of screen. Is this something you've seen after upgrading to 4.13? It could also be something in my configuration somewhere, but it's just odd that this wasn't the case when upgrading up until now, and the upgrade to 4.13 has caused this. Please let me know when you can take a look. Thanks!

Contao 4.4 Support

How complex would be an update to Contao 4.4?

PDF shows code only

We wanna protect pdf files, but then they dont show up as normal instead like this:

%PDF-1.5 %�� 101 0 obj <> endobj 125 0 obj <>/Filter/FlateDecode/ID[<7AE21005B5224647A88BA6DCA8DD2BA8><198D096555EBA04697942A246C9C837D>]/Index[101 36]/Info 100 0 R/Length 115/Prev 3719189/Root 102 0 R/Size 137/Type/XRef/W[1 3 1]>>stream h�bbd�b��"�׃H�-��D��j���Y0� ��g��&��$3��= R|��)��2�D6Z�IFAg ��U_�.a$��;@��\�X endstream endobj startxref 0 %%EOF 136 0 obj <>stream h�b```�� ,g�D��@��(��1�Ai P�"D؁��H1ױ1�]��X �ۃ�� xg�%,�Xˠ7�a��D�!�� B � � "wD#��l2�C3�E�Z��"��d��Y�c��J��>[S�>>> endobj 103 0 obj <> endobj 104 0 obj <>/ExtGState<>/Font<>/ProcSet[/PDF/Text/ImageC]/XObject<>>>/Rotate 0/TrimBox[0.0 0.0 595.276 841.89]/Type/Page>> endobj 105 0 obj <>stream`
....

what can i do? thanks

Wish: file-access for files outside the DBAFS

Hello,

it would be create if the contao-file-access also works for files which are not in the DBAFS.

I maintain a site with over 700.000 pictures (increasing), which are uploaded via FTP. These files are not included in DBAFS and have to be imported via a manual sync job. For the website the DBAFS is not necessary for these images and these folders could be excluded from the synchronization.

Background: If a permission is set to the parent folder, it would be recursive. This means that the query would exist for the Contao group and an authorization could take effect.

Wish: The delivery of files which are not available in DBAFS, but in the file system below the corresponding file structure which is created in DBAFS. This must be checked accordingly.

Optional: The activation of this function by a flag on the folder, which only then unlocks it. This would also help to reduce the load.

Dateiverwaltung "mehrere bearbeiten" "erlaubte Mitgliedergruppen" anpassen geht nicht

Wie im contao-Forum beschrieben

Wenn ich mit Adminrechten einen Dateiordner mit Unterordnern dupliziere und dann über "mehrere bearbeiten" die "Erlaubte Mitgliedergruppen" anpassen möchte, bekomme ich nur leere Zeilen.

Internal Server Error 500

Dear fritzmg, i do really look forward using this feature.
Unfortunately the moment i configure an folder with this file access any other than public, all i get in the frontend is an 500 error, when accessing the files.

Contao log entry, when accessing a single file in the restricted folder: (URLs edited)

[2019-04-04 07:00:40] request.INFO: Matched route "files". {"route":"files","route_parameters":{"_route":"files","_controller":"InspiredMinds\\ContaoFileAccessBundle\\Controller\\FilesController::fileAction","_scope":"frontend","_token_check":true,"file":"*/*/*/*/*/_DSC*.jpg"},"request_uri":"https://serverurl/files/*/*/*/*/*/_DSC*.jpg","method":"GET"} [] [2019-04-04 07:00:40] security.INFO: Populated the TokenStorage with an anonymous Token. [] [] [2019-04-04 07:00:40] request.CRITICAL: Uncaught PHP Exception InvalidArgumentException: "Controller "InspiredMinds\ContaoFileAccessBundle\Controller\FilesController" cannot be fetched from the container because it is private. Did you forget to tag the service with "controller.service_arguments"?" at /var/www/contao4/vendor/symfony/http-kernel/Controller/ContainerControllerResolver.php line 71 {"exception":"[object] (InvalidArgumentException(code: 0): Controller \"InspiredMinds\\ContaoFileAccessBundle\\Controller\\FilesController\" cannot be fetched from the container because it is private. Did you forget to tag the service with \"controller.service_arguments\"? at /var/www/contao4/vendor/symfony/http-kernel/Controller/ContainerControllerResolver.php:71, ArgumentCountError(code: 0): Too few arguments to function InspiredMinds\\ContaoFileAccessBundle\\Controller\\FilesController::__construct(), 0 passed in /var/www/contao4/vendor/symfony/http-kernel/Controller/ControllerResolver.php on line 133 and exactly 3 expected at /var/www/contao4/vendor/fritzmg/contao-file-access/src/Controller/FilesController.php:30)"} []

I am using Contao Version 4.6.14. and php7.2

I hope this information helps. Can you please give me an advice on how to debug this error?
Thank you very much!

Show icon for protected folders in file manager

Berechtigung für Download/s Inhaltselement

Hallo,

Gibt es vielleicht die Möglichkeit diese Erweiterung um eine Funktion zu erweitern, damit die Berechtigungen mittels Download/s Inhaltselement auch möglich sind. Dies hat den Hintergrund, dass Redakteure aktuell bei bereitgestellten Dateien immer Berechtigungen vergeben müssen, was häufig zu potentiellen Fehlern führt.
Danke!

Gruß
Thomas