Hello,

I have one security issue which i am struggling to get around on a site I am building for a client.

A user of the website who is not logged on or is not an authorized member of
the website can access files and resources I have uploaded to the members area of the site.

You have to log into the members area to see the list of files, but an unlogged user could potentially access the files by accessing the url of the file directly if they knew it/guessed it etc…

This is a worry for my client, and I was hoping someone here might be able to point me in the right direction towards a solution.

These forums have been very helpful to me in developing the website in expression engine so far, so thanks a lot to all the posters and answerers!

Thanks,
Inge

Hi Inge,

Welcome to the forums .

There is currently no native way of doing this.  You may want to look at the linklock module to see if it fills your need.  I’ll move this to how-to to get some more eyes on it.

~pascal

The Linklocker module is definitely a great way to go on this one as Pascal has said.

Another thing you might want to look into are the in-built Template Access Restrictions where you can make it so that a non logged-in user can’t access a certain template until they log in.

That might help too on this one if you just want to stop non-logged in users from viewing the template.

Best wishes,

Mark

Thanks for your replies Pascal and Mark .

I had been trying a few other methods without success including all sorts of messing with the .htaccess files etc, having had a look at the Linklocker module it looks like the thing.

As far as I can see I would need to purchase the commercial version rather than the free one, so one quick question before I go ahead:

The admin user in this instance can upload members-only files in the publish form on a few particular pages but they tend to add links throughout the body text, rather than in a particular custom field. 

As I can’t really anticipate how many links the admin user will want to put on a given page, I’m not certain about using custom fields for this purpose. Does the Linklocker module require the link to be placed in custom field?

Thanks again for your input.