I have a webserver with Apache.
For security reasons my customer wants to access files (.jpg/.pdf/.png/.gif) in another folder.
The root layout is as follows:
backup
data
etc
htdocs
logs
tmp
In the htdocs folder the Joomla website resides. I use flexicode to add PHP code to the site.
Is there a way I can show for example a photo in .jpg from the data folder?
example. /data/werknemers/80111/pasfoto.jpg
There is a little snag. Everybody uses a pin number to log into Joomla. In this case pin 80111.
Pin 80111 is added to the users table, the field is called pin.
Is it possible to use a variable to retrieve the data? So only user 80111 can access his or her folder and not another one?
The photo is shown in a module on the website after login.
Cheers,
Steve
You'll have to write a php script in joomla (for the authorisation), and give apache access to the external folder. Then deliver your files using this script.
I'm not a Joomla user, but my first chance will be to look for some plugin to manage the uploads, I saw some plugins to manage uploads per user doing a quick google search, for example this one.
In the case that no one works for you I think the next option will be try to implement an asset proxy.
Write an script in htdocs to validate the PIN and if it is ok read the file content from the data directory and provide the output from that script.
An rewrite rule to redirect all .jpg/.pdf/.png/.gif request for that proxy will be need.
Be aware to serve the non secure content (theme images for example) as well.
Hope this help
Related
My page in wordpress have a button like "Go to the next".
I am trying to get my php file run by clicking the button.
<form action="https://"domain name".com/hoge.php" method="POST"></form>
The php file is successfully run if I locate the php file in the domain.
(like, https://"domain name".com/hoge.php)
However, the php file can not be run if I locate the file in the themes folder, and the response is 404 not found.
(like, https://"domain name".com/public_html/wp-content/themes/hoge.php)
So I have 2 questions.
Why the php file can not be accessed if I locate the file in the themes folder?
Talking about security, is it safe to locate my php file in the domain directly?
(like, https://"domain name".com/hoge.php)
wp-content implies this is a WordPress Site.
Wordpress changes the .htaccess to prevent exactly this. The htaccess will not let you access the sub php files directly.
Answer for question 1:
There has a lot factor affecting to located your file. It might involved to the RewriteRule for .htaccess configuration, your platform configuration or just you create file at wrong location or wrong name
Answer for question 2:
Yes, it is unsafe, because it can be access by anyone else. So you need to perform some authenticate checking before execute the written code, for example use SESSION to check the user is already logged in before execute your code.
Your way of handling FORM is perfectly ok, while developing in core PHP. But, WordPress has its own handling FORM. YOu can check out this blog on how to handle the FORM in WordPress way.
I have registered a wildcard subdomain record for the dir /.../public_html/hosting/accounts/. When a user requests a hosting space, I generate a folder in accounts. My index.php (which is also the 404 ErrorDocument) in accounts uses some basic PHP code to determine the subdomain and the path. Using display the file using include({subdomain}/{requested file}).
Therefore, demo.example.com/file would trigger a 404 and the index.php will display the file at example.com/hosting/accounts/demo/file.
I am, however, concerned that the users would be able to access the files of others via get_file_contents, include, exec and etc.
Is this the correct way to provide hosting on a subdomain? Is there another way to do it?
Any assistance would be appreciated!
I wrote a custom module, which logs errors to an external text file. The files are kept in
/sites/all/modules/custom/my_module/logging/
The problem is, if the user know the name of the file, they can go directly to it. For example, if they go to:
http://localhost/MySite/web/sites/all/modules/custom/my_module/logging/
The will get a forbidden error. But, if they know the name of the document and go to:
http://localhost/MySite/web/sites/all/modules/custom/my_module/logging/myFile.txt
the full file is rendered to the browser. Is there a way to prevent this? Ideally, I would like to show the files to certain users but at the very least prevent it all together.
thanks jason
very simple method...
Put a .htaccess file in the logging folder and inside that put
deny from all
It looks like you have somewhere options -indexes, this will prevent a client viewing a folder that does not have an index file
Good day all,
I have a folder called documents in my site root, this is password protected by a .htpasswd file, but it is allowed to be accessed by a script to view.
how would I allow a script to be able to download the file without accessing it directly from the directory?
I'll give an example to explain the situation.
on my home page I display the picture test.jpg, this image is in the documents folder that is protected. The image displays correctly on the home page.
If type in the address bar www.domain.com/documents/test.jpg it does not display or downloads, but asks for a password.(this I want, but don’t want people to type in a password for each file they want to download)
Is there a way that I can make php or JavaScript download the document without ever having to prompt for a password? Other words bypass the .htaccess rule?
thanx in advance
I've retagged adding PHP and Javascript. There is nothing stopping you writing a remapper PHP script which is outside the documents folder and therefore accessible without Apache authentication. This could issue a readfile() to send the file (see the document example and user contributions for a more detailed explanation. Since this is a server-side script, it will have direct access to the protected directory.
Of course you might want to implement some form of access control, say appending a request parameter check which is based on the md5 of the filename plus a shared secret. This would be easy to compute in the calling script. However, once you move such access negotiation to a client-side script you need to accept that this could be retro-engineered and exploited by any experienced hacker.
As a footnote, if you want to allow users to download your images, why are locating them in an access controlled directory. Why not just move them out of this directory?
As Barry said, the .htaccess is processed before any PHP is, so bypassing it is not an option. You will have to either change the .htaccess configuration or write a remapper PHP script.
I suggest changing the .htaccess configuration to allow direct download links but deny directory listing. This will allow people to download direct links such as http://www.example.com/documents/some-file-name.ext without being prompted for a password, but they will have to know the link ahead of time - they won't be able to view the /documents/ folder to see everything in there.
You can do this by commenting out or removing the Auth directives:
#AuthUserFile /path/to/.htpassword
#AuthName "Name"
#AuthType Basic
#Require Valid-User
And adding a directive to block directory listing:
Options -Indexes
I have a php account with my provider, and I also have cpanel installed for me.
I currently have two drupal sites there, let's called the main myMainSite and another one under construction called myNewSite.
So when I go to www.myMainSite.com, I go to the main site. When I go to myNewSite.myMainSite.com, i go to the drupal site that is under construction.
My question is, when my under construction site goes live, I want that all users that go to www.myMainSite.com see the new site (the one that is under myNewSite.myMainSite.com).
How can I accomplish this with cpanel? is it within the "addon domains" configuration?
I don't want a redirect that changes the address bar, ie, I want to keep the original url.
You would just change the DocumentRoot of www.mainsite.com to point to the same DocumentRoot as myNewSite.myMainSite.com.
I assume you've used cPanel's subdomain control panel to add myNewSite.myMainSite.com. And I'll assume myMainSite.com is in the /public_html/ folder. Therefore the new site (and site with a subdomain) will be at /public_html/myNewSite.myMainSite.com
Why can't you just use File Manager (or FTP) to move all the files in /public_html/ to /public_html/OLDsite?
Then move everything from /public_html/myNewSite.myMainSite into the /public_html/ folder.
Then check your site is working with the new files.
Maybe you could also send a support ticket to your host to see if there's another way. It could be as simple as them changing something in Apache's conf file for the myNewSite.myMainSite.com subdomain.
I'd also think you'd need to change the settings in Drupal (when you've changed domain) so Drupal knows the new domain name too.
I recommend you to have main 2 user accounts call oldlive and newlive.
you may have domain like
oldlive.myMainSite.com and newlive.myMainSite.com
Then you can add Park Domain myMainSite.com to oldlive.myMainSite.com when you not ready.
Once you are completed new site which currently in newlive.myMainSite.com, you will remove park domain from oldlive.myMainSite.com and move to newlive.myMainSite.com.
then you can transfer domain smoothly.
You can use "Redirects" option in cPanel to redirect all visitors from old to new site.
Or you can simply change Virtualhost in Apache for your main domain to directory of your finished (currently under construction site).
Agree with the previous answer. If you would like to load the sub-domain's contents on the main site then you will need to move the data from sub-domain's directory to root directory that is public_html.
Just make sure, you do not have any live site on your main domain, If your main domain has the working site for it and you will upload the contents under the root directory then your website won't work due to conflict in contents.
If it's not possible then you will need to upload the contents under one sub-directory in public_html and after that you can access the site by yourP_website_name/directory name.
Once you will done with the moving contents then you will need to update the base UR Lto the new site URL.It is present in cPanel >> File Manager >> public_html >> Sites/Default/Settings.php