How protect files in var directory?

Author Message

Tomasz Jakubowski

Wednesday 01 August 2007 11:54:27 pm

I create content with image. Content is in protect area (need login to see it). But if I put direct link to image file in browser I can see it.
So, system isn't protected from access without login.

If there any solution to protect files in var directory?

André R.

Thursday 02 August 2007 12:37:39 am

Remove the rewrite rules that lets users download images directly from var.
It will be a lot slower, but it will check access rights on every image request.

eZ Online Editor 5: http://projects.ez.no/ezoe || eZJSCore (Ajax): http://projects.ez.no/ezjscore || eZ Publish EE http://ez.no/eZPublish/eZ-Publish-Enterprise-Subscription
@: http://twitter.com/andrerom

Tomasz Jakubowski

Thursday 02 August 2007 2:47:05 pm

Thanks for your response but I still have a problem with that.

I remove the rewrite rules for var directory. But now I can't see any images on my site. The same behaviour for admin user and anonymous user. When I put direct image link (like: http://example.com/var/siteaccess/storage/images/folder/zdjecie/1579-1-pol-PL/zdjecie_large.jpg) to browser then I get eZ error page with error message: The requested module var could not be found.

If there any special configuration options?

My configuration of eZ Publish - virtual host.
My .htaccess file:

DirectoryIndex index.php

<FilesMatch "(index\.php|\.(gif|html|css|jpe?g|png|ico|js|asf|avi|wmv|swf|xsl|jar|pdf|doc))$">
order allow,deny
allow from all
Options FollowSymLinks Includes ExecCGI
</FilesMatch>

RewriteEngine on

RewriteBase /

# first we rewrite the root dir to the handling php script
RewriteRule ^$ index.php [L]
RewriteRule ^index\.html$ index.php [L]

# exclude here directories or files eg. your webmail, phpadsnew, pphlogger
#Rewriterule ^var/storage/.* - [L]
#Rewriterule ^var/[^/]+/storage/.* - [L]
#RewriteRule ^var/cache/texttoimage/.* - [L]
#RewriteRule ^var/[^/]+/cache/texttoimage/.* - [L]
Rewriterule ^design/[^/]+/(stylesheets|images|javascript)/.* - [L]
Rewriterule ^share/icons/.* - [L]
Rewriterule ^extension/[^/]+/design/[^/]+/(stylesheets|images|javascripts?)/.* - [L]
Rewriterule ^packages/styles/.+/(stylesheets|images|javascript)/[^/]+/.* - [L]

RewriteRule .* index.php [L]

André R.

Friday 03 August 2007 5:30:24 am

Sorry for giving you wrong advice, seems like only files (as in word, pdf etc) can be server like this true content/download.

Images are protected in the way that if you don't have access to it, you will get text saying "you don't have access to this image" instead of the image. So basically you only get the link if you have access, given that you use the ez templates for generating the url / image tag.

eZ Online Editor 5: http://projects.ez.no/ezoe || eZJSCore (Ajax): http://projects.ez.no/ezjscore || eZ Publish EE http://ez.no/eZPublish/eZ-Publish-Enterprise-Subscription
@: http://twitter.com/andrerom

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.