fields.ini file directive used only with container fields?. If this flag is set, then the field contents will be treated in a secure manner and will obey the application permissions. If this directive is not set, then uploaded files in container fields? are served directly by the web server without considering application permissions. Setting this directive will cause the application use a special get_blob action to serve the uploaded file, and this obeys application permissions.
Given a field to upload a PDF report, your fields.ini file section for this field might be something like:
Which will serve up the PDF file as an attachment.
Restricting Direct Access to uploads directory
Note: You still need to restrict access to the uploads directory or it may be possible for users to still guess the absolute URL to files in it. You can restrict access by placing an .htaccess file in the uploads directory (if you are using Apache) with the following contents:
deny from all
If you are using IIS or another web server you should look into the methods available for you to restrict access to directories.
HTTP Response Codes
The getBlob action? will return the following HTTP Response Codes:
404 - If either the record does not exist, or the record's specified container field is empty.
403 - If the current user doesn't have permission to access this record.
500 - If there is another error. The actual error will be written to the error log.