Files can be downloaded outside PhocaDownload

decksys · Post by **decksys** » 09 May 2011, 15:51

2.0.0 RC2
On my install files can be downloaded outside PhocaDownload. In the Phoca Download File section I set access to Registered but users can stil without logging in go to http://domain/phocadownload/file_name and the download will begin.

How to protect files so that they can only be downloaded by registered users to Joomla/PhocaDownload?

noorgat.b · Post by **noorgat.b** » 09 May 2011, 20:20

Hi,

You have raised an interesting issue.

I don't know of a solution, but suggest you rename the "phocadownload" folder to something else to keep out simple hackers...

May not help if someone shares the actual link....

Regards

Basheer

decksys · Post by **decksys** » 09 May 2011, 21:05

Rename is a possibility - only most quickly learn to gain access to the site structure and is able to see the files in plain sight.

Since my post I played around with modRewrite and found the below to be working. It keeps all out and only allow download through Joomla/Phoca. Perhaps this could be part of the install instructions in case others have files they don't want to be downloaded outside Phoca (for security, statistic or similar reasons).

Here is is;

# secure htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>
Options All -Indexes
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?replace_with_your_domain_name\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(exe|zip)$ - [F]
<Files ~ "^.(htaccess|htpasswd)$">
deny from all
</Files>
Options Indexes
order deny,allow

Post by **Jan** » 09 May 2011, 23:35

Hi, thank you for the info.

Jan

Phoca Forum

Files can be downloaded outside PhocaDownload

Files can be downloaded outside PhocaDownload

Re: Files can be downloaded outside PhocaDownload

Re: Files can be downloaded outside PhocaDownload

Re: Files can be downloaded outside PhocaDownload