Current Record: secure #88

fields.ini file directive used only with container fields?. If this flag is set, then the field contents will be treated in a secure manner...

Current Record: secure #88

fields.ini file directive used only with container fields?. If this flag is set, then the field contents will be treated in a secure manner...

secure fields.ini directive

[Permalink]

fields.ini file directive used only with container fields?. If this flag is set, then the field contents will be treated in a secure manner and will obey the application permissions. If this directive is not set, then uploaded files in container fields? are served directly by the web server without considering application permissions. Setting this directive will cause the application use a special get_blob action to serve the uploaded file, and this obeys application permissions.

Example

Given a field to upload a PDF report, your fields.ini file section for this field might be something like:

[pdf_report]
    Type=container
    allowed_extensions="pdf"
    savepath="uploads"
    url="uploads"

Now if we upload a file named "foo.pdf" in this field, it will be uploaded to:

 http://www.example.com/path/to/myapp/uploads/foo.pdf
Now we change the field definition to use the secure directive:

[pdf_report]
    Type=container
    allowed_extensions="pdf"
    savepath="uploads"
    url="uploads"
    secure=1

In this case it will still upload files to the uploads directory, but all of the links generated in the Xataface interface (and via the display() and htmlValue() methods) will be for a URL like:

  http://www.example.com/path/to/myapp/index.php?-action=getBlob&-table=mytable&-field=pdf_report&record_id=10
Which will serve up the PDF file as an attachment.

Restricting Direct Access to uploads directory

Note: You still need to restrict access to the uploads directory or it may be possible for users to still guess the absolute URL to files in it. You can restrict access by placing an .htaccess file in the uploads directory (if you are using Apache) with the following contents:

deny from all

If you are using IIS or another web server you should look into the methods available for you to restrict access to directories.

HTTP Response Codes

The getBlob action? will return the following HTTP Response Codes:

  • 404 - If either the record does not exist, or the record's specified container field is empty.
  • 403 - If the current user doesn't have permission to access this record.
  • 500 - If there is another error. The actual error will be written to the error log.
blog comments powered by Disqus
Powered by Xataface
(c) 2005-2024 All rights reserved