Current Record: secure #88
fields.ini file directive used only with container fields?. If this flag is set, then the field contents will be treated in a secure manner...
secure fields.ini directive[Permalink]fields.ini file directive used only with container fields?. If this flag is set, then the field contents will be treated in a secure manner and will obey the application permissions. If this directive is not set, then uploaded files in container fields? are served directly by the web server without considering application permissions. Setting this directive will cause the application use a special get_blob action to serve the uploaded file, and this obeys application permissions. ExampleGiven a field to upload a PDF report, your fields.ini file section for this field might be something like: Now if we upload a file named "foo.pdf" in this field, it will be uploaded to: http://www.example.com/path/to/myapp/uploads/foo.pdfNow we change the field definition to use the secure directive: In this case it will still upload files to the uploads directory, but all of the links generated in the Xataface interface (and via the display() and htmlValue() methods) will be for a URL like: http://www.example.com/path/to/myapp/index.php?-action=getBlob&-table=mytable&-field=pdf_report&record_id=10Which will serve up the PDF file as an attachment. Restricting Direct Access to uploads directoryNote: You still need to restrict access to the uploads directory or it may be possible for users to still guess the absolute URL to files in it. You can restrict access by placing an .htaccess file in the uploads directory (if you are using Apache) with the following contents: If you are using IIS or another web server you should look into the methods available for you to restrict access to directories. HTTP Response CodesThe getBlob action? will return the following HTTP Response Codes:
|