[SOLVED] Security in uploaded files element

vaughan

vaughan

Member
Hi

I have an upload file element, and I need to assign security privileges to these files.

I need public privileges to upload a file, but only specific user group can see or download these files.
I set the privilege in fabrik, and works fine, but if someone (public grooup or some robot) know the complete file url can see the file.

How can i set the correct privileges to only view this file a specific user group?
Could yo help me

Thanks!
 
Hi,

How are you allowing for the download? Fabrik List, Form, or something else? When you say "URL" what type of url do you mean? A link what? If it's a file:// link that is 100$ operating system controlled with regard to permissions. If it is something else, let us know what and we can try to help further.
 
As genyded says, actual URL access to the file itself is outside of Fabrik's scope.

However, you can work round this by selecting "Obfuscate filename" for upload, and then using the "Download script" option. This way, the actual location / name of the file should never be made public (not even the person uploading the file would know the name it was given, or where we saved it to), and the only way it could be downloaded would be through a script, for which the URL does not include the filename (it specifies element ID and rowid instead).

That way, access to the file is then totally within Fabrik's normal ACL's.

-- hugh
 
Hi thanks for your answers

I'm Sorry for answer too late.

I set fabrik with Obfuscate filename and download script, but I see a security failure if someone know name's files or with any software to track, could get the files?
If someone know the url http://mydomain/folder/xxx.pdf can see all information

I how I can increase security? I'm using Fabrik to storage confidential data

Regards
 
It's possible to encrypt the files?
another possibility would be to protect that directory with user and password , is it possible to run the upload like a specific user with privileges ? Like " run as " microsoft servers
 
You can set the access for the download element (or any other element) in Fabrik (access tab for the element). You can also do the same for pages (menu links) in Joomla. So fi you set all that up correctly how can someone not authorized "see" the file based on a URL?

You could encrypt (but you would have to write that or use some 3rd party tool), but if the user has rights I would thinkyou would then want to decrypt so I do not see that being the solution. If you are talking about users being able to browse to the directory itself... see http://docs.joomla.org/Security_Checklist/Joomla!_Setup
 
Ok Thanks for your help! I think I have the correct configuration, i'm not a security expert, but I'm now more relaxed with your comments

Regards
 
You must log in or register to reply here.

Useful links

  • Create a Fabrik Account (Downloads)
  • Create a Forum Account
  • Fabrik Wiki
  • Fabrik 4 Changelog /Install /Upgrade
    • We are in need of some funding.
    More details.

    Thank you.

    Members online

    Total: 171 (members: 3, guests: 168)
    Back
    Top