Access control on Media folders?

[klilleng]

Hi!

Just installed websitebaker, and really like it. One thing however, may stop the deployment.
It seems there are no access control on the Media folders?
So if you have a direct link, you can access any file, even on someone else's Home Folder?
Is this correct? Are there any ways around this?
I need to have private files for each user, that no one else can open or view.

Thanks.

[Luisehahne]

Hi,

I just tested on my Installation

Forbidden

You don't have permission to access /wb/media/random/ on this server.

and if i try to call the /media/ it's call the startpage.

Pls check your permission

Dietmar

[klilleng]

You have to try with a file, like
 /wb/media/random/myfile.pdf

(the file must of course exist in this location)

Thanks.

[Luisehahne]

Not Found

The requested URL /wb/media/Autumn_lake_1024 x 768.jpg was not found on this server.

My permissions mode for folder are 755

Dietmar

[klilleng]

Hmmm strange. Ok, but can you access this file through a link when logged in (that is, a regular URL, not by the Media option)?

[LordDarkman]

It is possible. sometimes I share files with others, so I just upload them to media folder and give them the link. as example
http://lorddarkman.de/web/media/wb1171.zip
If you don't want this to happen put a .htaccess into your media/userfolder witch doesn't allowed external access. But maybe you have than problems in viewing the contend in this folder without login in (htaccess login not wb).

CU Moritz

[klilleng]

Yes, adding a .htaccess could resolve this issue, but then I guess I'd have to manage htaccess authentication and users, in addition to WB users. And users would have to "log on" twice. It's not very tempting.

[LordDarkman]

but I think it's the only posibillity. If you know a filename it's allways possible to access this file. But who knows them? Normally no one. And if you try to access the folder you get a redirect to the start page.

CU Moritz

[klilleng]

In my case it would be possible to guess the filenames of other users, by looking at your own. And I don't want to obscure the filenames with exotic renaming. . The grand idea is to have some sort of invoice filestore, where each user only sees his invoice-files. Seen at several CMS'es, but they seem to lack the possibility of setting individual user rights on files/folders like I want to. Might have to look at other kind of apps, I guess.

[pcwacht]

In that case you need something wich puts the files in the database, or outside the html rootdir.

There is nothing simular yet for WB.

John

[KM-Linux]

Do you know, if something is planned to fix the problem?
I noticed it today too.