fileupload with download script generates error if log is on

[lcollong]

Hi,

I need to control who is allowed to download files. Using the "use Download Script" in the "Downloads" panel of the FileUpload element, it generates an error if switching on the "log Downloads" button :

http://www.xxxxxx/index.php?option=...8&formid=73&rowid=1&repeatcount=0&ajaxIndex=0

Can't find anything else from the return than : ERR_INVALID_RESPONSE

All the others setting works as expected. The fabrik log table exists (empty).

I really need to log who and when downloaded which file.

Also, is there a way to protect direct access to the file providing the full url path to it (guessing the file name as the directory itself will not display its content) ?
Except using "Obfuscate Filename" option ? Such as htaccess "deny from all" with exceptions ?

Actually, the files won't be uploaded but built from within the app (dynamic pdf). Thus I will update the table column with the right file name each time a new version of the pdf is built.

Any advice welcome.

Thanks

 

[cheesegrits]

Logging should be fixed with this commit:

https://github.com/Fabrik/fabrik/commit/f77ef95b4bd35467466773e58415cb137d1185a4

As using the download link doesn't require that the browser directly accesses the folder the file is stored in, you should just be able to block access to the downloads folder using whatever htaccess technique you prefer.

-- hugh

 

[lcollong]

Thanks. Everything's fine.
Is there another way to make downloaded log data available in a fabrik's list than a cron script parsing the "message" column of the log table and inserting records in the target one ? Is the flag column of the fabrik_log table could be used as an "already inserted" indicator by such a script or has it some other purpose ?
Is there any generic fabrik log analyser as it may contains several others useful info ?
Any existing "helper" to parse'n display Json Data as "pseudo" columns ?

 

[cheesegrits]

Is there another way to make downloaded log data available in a fabrik's list than a cron script parsing the "message" column of the log table and inserting records in the target one ?

You could build a view in MySQL to represent the data any which way you can build a valid query to do it, then build a Fabrik list from that.

Is the flag column of the fabrik_log table could be used as an "already inserted" indicator by such a script or has it some other purpose

I'm 99.9% sure we don't use it for anything.

Is there any generic fabrik log analyser as it may contains several others useful info ?

Nope. That's left as an exercise for you. A start would be to simply build a Fabrik list on it, and create whatever filters suite your needs.

Any existing "helper" to parse'n display Json Data as "pseudo" columns ?

Nope.

One of these days I'd like to find some time to add a Logs tab on the backend and provide some built in log analysis, but it's a big task, and there's just not enough demand to make it viable and justify the time and effort. Like many things I'd like to do to Fabrik, it'll either happen when I need it for a specific project, or a critical mass of people are prepared to fund the work.

-- hugh

 

[lcollong]

Ok. I suspected such answers
The interesting part of the log table is json encoded and apparently my version of MySQL doesnot know Json funtions....
I'll see. Thanks for your answers.

 

[lcollong]

As a follow up : is the "use download script" feature expected to work together with the "use Ajax upload" feature ? I tested it and it doesn't.

 

[cheesegrits]

Should do, works for me.

Sent from my HTC6545LVW using Tapatalk

 

[lcollong]

Indeed. Did not drive my test far enough as my "problem" is the following :

I want to protect the uploaded docs from being directly reachable from outside the application with an url such as www.mysite.com/images/stories/mydoc.pdf/ . Of course, one has to guess the right path/filename, but it's not "impossible".

Thus, the idea to set the "use download script" feature on together with a "deny from all" htaccess file on the /images/stories directory.

It works perfectly well on list and detail mode including, indeed, with the ajax upload feature. Users can download from within the application but files are unreachable through a direct link.
But the users are frequently updating their records and could potentially add or suppress pdf files as well. In edit mode, the file are presented with a direct link to it. Not using the download script. Thus the "deny all" makes Apache sending a beautiful "FORBIDDEN" to the user whom is really granted to see and download his own file !

How could I solve this security problem ?

 

[cheesegrits]

Hmm, yeah, I see the problem. Not sure there's much I can do about that without an hour or two's work to modify the AJAX ImageWidget to use the download link instead of the direct path when building the uploader widget. And thinking about it, won't actually be possible for new images, as when adding new forms or new uploads, the data simply won't exist on the server side. The download link works by taking the form ID, row ID, element ID and (optionally) the repeat count for the row (and repeat instance) of that element, and using that to look up the file path from the coresponding table. But of course when creating a new form, or adding new uploads to an existing form, that data doesn't exist until after the form has been submitted and the row written out to the table.

So the only way round that is not to use AJAX.

Or to rely on "security through obscurity" and obfuscate the image name.

-- hugh

 

[lcollong]

Ok. Thanks for the explanation

"security through obscurity"

might be the reasonable way to go in this particular situation.