Page 1 of 1
Files can be downloaded outside PhocaDownload
Posted: 09 May 2011, 15:51
by decksys
2.0.0 RC2
On my install files can be downloaded outside PhocaDownload. In the Phoca Download File section I set access to Registered but users can stil without logging in go to
http://domain/phocadownload/file_name and the download will begin.
How to protect files so that they can only be downloaded by registered users to Joomla/PhocaDownload?
Re: Files can be downloaded outside PhocaDownload
Posted: 09 May 2011, 20:20
by noorgat.b
Hi,
You have raised an interesting issue.
I don't know of a solution, but suggest you rename the "phocadownload" folder to something else to keep out simple hackers...
May not help if someone shares the actual link....
Regards
Basheer
Re: Files can be downloaded outside PhocaDownload
Posted: 09 May 2011, 21:05
by decksys
Rename is a possibility - only most quickly learn to gain access to the site structure and is able to see the files in plain sight.
Since my post I played around with modRewrite and found the below to be working. It keeps all out and only allow download through Joomla/Phoca. Perhaps this could be part of the install instructions in case others have files they don't want to be downloaded outside Phoca (for security, statistic or similar reasons).
Here is is;
# secure htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>
Options All -Indexes
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?replace_with_your_domain_name\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(exe|zip)$ - [F]
<Files ~ "^.(htaccess|htpasswd)$">
deny from all
</Files>
Options Indexes
order deny,allow
Re: Files can be downloaded outside PhocaDownload
Posted: 09 May 2011, 23:35
by Jan
Hi, thank you for the info.
Jan