The Social Media Department would like a directory where they can upload images and other media that need to be kept private until we are ready to publish them. Ideally, we would want the user to get a 404 error instead of being prompted to log in or instead of getting an "access denied" message if they put in an URL for a private file.
Because the Social Media Department does not want to have to move images once an article is ready to be published, really what they need is a way for images that are saved to the WordPress Media Library or some other folder to return a 404 error if they are part of articles that are not published and display for anyone if they are part of articles that art published.
Our users like to try and guess what we'll be announcing by putting in random image file names once they know the URL structure for the images
the only way is to track what you want or dont want or both. at some point you have to ask can this file be served. not hard to code but could be an expensive operation per request.
To keep users from guessing names, you can either prepend/append a random string (per Graham Walters) or hash the whole name. Don't forget to suppress autoindexing of the directory via the Options .htaccess command, or a "Nothing to see here folks, move along." index.html file.
If users can somehow get hold of the names (say, via a leak), but there aren't too many "embargoed" files, the embargoed files could be added to an .htaccess blacklist similar to hotlink protection. Return a 404 if anyone requests those files not via your official pages. Remove them from the blacklist once they go live. If you set up the hotlink protection correctly, you may be able to forbid access to whole classes of files (such as by filetype), except for your official pages.
Related
A client running WordPress has requested the development of the following feature on their website.
They would like to include/exclude specific files (typically PDF) uploaded via the WordPress media uploader from search results.
I'm guessing this could be done somehow using a robots.txt file, but I have no idea where to start.
Any advice/ideas?
This is from Google Webmaster Developers site https://developers.google.com/webmasters/control-crawl-index/docs/faq
How long will it take for changes in my robots.txt file to affect my search results?
First, the cache of the robots.txt file must be refreshed (we generally cache the contents for up to one day). Even after finding the change, crawling and indexing is a complicated process that can sometimes take quite some time for individual URLs, so it's impossible to give an exact timeline. Also, keep in mind that even if your robots.txt file is disallowing access to a URL, that URL may remain visible in search results despite that fact that we can't crawl it. If you wish to expedite removal of the pages you've blocked from Google, please submit a removal request via Google Webmaster Tools.
And here are specifications for robots.txt from Google https://developers.google.com/webmasters/control-crawl-index/docs/robots_txt
If your file's syntax is correct the best answer is just wait till Google updates your new robots file.
I'm not certain how to do this within the confines of WordPress, but if you're looking to exclude particular file types, I would suggest using the X-Robots-Tag HTTP Header. It's particularly great for PDFs and non-HTML based file types where you would normally want to use a robots tag.
You can add the header for all specific FileType requests and then set a value of NOINDEX. This will prevent the PDFs from being included in the search results.
You can use the robots.txt file if the URLs end with the filetype or something that is unique to the file type. Example: Disallow: /*.pdf$ ... but I know that's not always the case with URLs.
https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag
I am currently trying to develop an image uploading website by using CodeIgniter.
The thing is, I came across an issue today and I would really appreciate any kind of help in order to solve it.
So basically, the site is working. But the thing is, that the files are not private. A user may want to ensure that the files the users upload are only visible by them, and not by someone who just guesses a bunch of urls. (eg. user1 uploads image1 which he wants to keep private, for himself =>[localhostlocalhost/upload_script/files/image1.jpg], user2 can access image1 by guessing and typing the url [localhost/upload_script/files/image1.jpg] which is what we don't want to happen. )
I have done some research and I think that this would probably require another controller for serving the files (which checks for session data).
I have been "playing" with sessions etc in PHP for quite some time in the past, but I am not that familiar with them in CodeIgniter.
Is this the only way? I don't think I need to create separate directories for each user, do I? Can you please tell me how to head to the right direction or give me an example?
Thanks in advance,
harris21
In order to protect files, you will need keep them outside of your web root, otherwise people will always be able to url hack their way round.
I have used the very handy mod_xsendfile for apache (if you have that kind of access to your server) which will allow you to serve files that can be protected by access control and not accessed without the appropriate credentials.
Code snippet that you could put in your CI controller to display an image (adapted from the mod_xsendfile page):
...
if ($user->isLoggedIn())
{
header("X-Sendfile: $path_to_somefile");
header('Content-Type: image/jpeg');
exit;
}
If you cannot install mod_xsendfile then your only other option would be to use readfile() as TheShiftExchange says.
Use PHP to return images and lock the image directory behind the webserver root. This way, before serving an image you can check the user credentials via session variable, assuring that he is allowed to view the image. Otherwise you can redirect the user straight back to the website alerting him he does not have access. Serving images like this is way slower than just serving them via webserver (apache, nginx,...) but it will enable you to have control over the downloading of the images.
To be more exact, save the image details in a database, for example having columns: id, file_path, title, uid. Everytime a user wants to download an image for example calling http://domain.com/files/download/3 you can check if image with id 3 can be downloaded for the currently logged in user. You need to write your own controller that will be doing that.
I am doing a similar thing here http://www.mediabox.si/ you can check how images are served. I am allowing thumbnail images and I am watermarking larger images visible to ordinary visitors.
The ONLY way is to store the images outside the public_html. Otherwise by definition you are opening the file to direct access.
Use a controller to check if the user is allowed to access the file and the php function readfile() to serve the file
You can read some code at one of my other questions here: Does this PHP function protect against file transversal?
And this is actually VERY fast - you won't notice a performance hit at all
I have a growing website with around 30k images in 4 sizes for a total of 120k. My current solution is storing them in a DB and from what I've read on stack oveflow this seems to be a very bad idea.
I'm starting to see why. I've noticed a drastic decrease in performance. think the obvious solution is to move these images to a folder setup and I'd like to use the users ID as a dir name and then have a public and private sub dir.
The structure would look like this:
/54869
/public
/size_1/img1.jpg
/size_2/img1.jpg
/size_3/img1.jpg
/size_4/img1.jpg
/private
/size_1/img2.jpg
/size_2/img2.jpg
/size_3/img2.jpg
/size_4/img2.jpg
What is the best way to secure this private folder and only provide other users access if the owner of the file has granted permission?
I'd also like to prevent users from simply viewing the contents of any folder but I suppose I could perform a check client side to fix this.
Any thoughts or suggestions?
You could make that folder not accessible from the web (e.g. place the folder outside htdocs or add .htaccess rules).
Create a PHP script which handles all requests to the private images.
This script would have to do the following:
check if the user is authenticated
check if the user is authorized to view the requested image
open the image and print it to the browser (you need to set correct http headers to make sure the content is treated as an image)
Then, in your HTML, simply point to /secret_image.php?id=3 or maybe you want to use the path of the image /secret_image.php?p=/54869/public/size_1/img1.jpg
You can try this
imageViewer.php?imgID=XXX; where XXX=hashFunction(salt.imgName)
And do all the processing in the imageViewer.php like if the user has permission or not !
I need to redirect the url which is accessing the site images to the appropriate contents section of the site for example . the image test.jpg is used in the section http://www.mysite.com/article1 and my image path is domain/images/test.jpg if any user browse the image directly by this url domain/images/test.jpg . i would like to redirect to the article section.
What you are trying to do is kind of working against the principles of the web. A web browser loads that image of yours the same way if someone reads the article as it does when somebody accesses the image "directly".
If you only want to disable access to browsing your image collection, i.e. the directory listing of the images, that's fine and you can easily disable that in your web server.
However -- and I think that's what you are trying to do -- if you try to find out the difference how somebody accesses an image, either while reading "article1" or by loading it "directly", then things get complicated. You could use some kludges like setting cookies in the article and that you check for when loading the image... But it is probably more trouble than it's worth.
Basically a friends just gifted me an old domain to develop, it has quite a few inbound links and its getting a lot of 404 hits.
The basis of the site is to let users hotlink images off it, to put in forum signatures / blog comments and whatnot. I was wondering if there was a way to redirect all these broken image links to a single image which will show up on their page? (basically with a little message saying the sites back up with new images!)
I'm developing the new site on Kohana and using CPanel to admin the hosting (if any of this helps).
Well, i guess, since you're using PHP, that there's some sort of "retrieve image based on ID" function.
If you're storing your images on a directory try using
file_exists('path/to/my/img.png') ? $image = 'path/to/my/img.png' : $image = 'path/to/my/default/img.png';
If you're storing them in a DB, follow the same logic. Instead of using file_exists() check if the query returned something.
If mod_rewrite is available, you can add a rewrite rule for all pictures not corresponding to any file names, together with a RewriteCond to filter out requests from your own site according to HTTP_REFERER. I think this article will explain this in more detail for you.
The simplest method (on Apache) is:
ErrorDocument 404 /url/pointing/to/image/you/want/to/serve.jpg
But this will serve up the image for ALL 404s, within the vhost/location/directory you specify this handler for, so a simple typo on a legitimate request will still get this image.