Zum Inhalt springen

Protect files from direct download

Extension Key: fal_securedownload

TYPO3 Version:12 LTS11 LTS10 LTS9 LTS8 LTS

Introduction

Sometimes you only want to make certain files available to registered users on the website. To do this, you can enable pages or content elements for registered users only.

However, files can still be downloaded by anyone as long as the direct link to these files is known. This is because files are usually stored somewhere below the fileadmin directory and could be accessed via a link such as

domain.de/fileadmin/user_upload/my_pdf.pdf

can be loaded directly.

With the extension fal_securedownload you can protect files even better, as a separate file storage is used here, which can also be located outside the so-called document root, i.e. outside the TYPO3 project. The links to these files are then not displayed in plain text, but are downloaded via the extension.

In addition, directories can also only be released for certain frontend user groups, so that you have double security here.

The following video and text instructions show how to set up this extension.

Prerequisite: Frontend user groups and users should already be set up, as well as the possibility of a frontend login.

Video instructions

The video instructions show how to set up and use the extension.

All the steps shown in the video can also be found below in text form.

Installation

The extension can be installed as usual via the extension manager. To do this, search for the extension key fal_securedownload in the "Add extensions" area.

Then click on the button on the left to download and install the extension. No further configuration of the extension is necessary.

Set up new file storage

The next step is to create a new file storage. In this example, we will create a directory outside of the so-called document root, i.e. outside of our TYPO3 project directory.

This has the advantage that this directory cannot be accessed via a web browser.

Log in to the shell with your SSH access data and create a directory for the protected files. As an example, we create a directory called secure in the typo3cms/ directory with the command

mkdir secure

Create file storage

The next step is to create a new file storage in the TYPO3 backend.

To do this, switch to the list module on the top page with the ID 0 and create a new data record of the type "File store".

The easiest way to do this is to click on the plus button for the existing standard storage "fileadmin".

Read out absolute server path

For the next step, you need the absolute path to the secure directory on the server.

So switch back to the shell and go to the secure directory with the command

cd secure

You can display the server path with the command

pwd

Paste the output of this command into your clipboard (select with the mouse, then use the key combination ctrl+c (Windows, Linux) or cmd+c (Mac)).

Configure file storage

Now switch back to the backend to the settings of the new file storage.

In the General tab, enter a title of your choice, for example Secure.

In the Configuration tab, enter the absolute server path that you read out in the previous step in the Path to base input field (key combination ctrl+v (Windows, Linux) or cmd+v (Mac)). Add a slash at the end of the path!

Select "absolute" for the path type

In the Access tab, deactivate the checkbox for "Is publicly available?"

Then click on Save.

Now check whether the "Is online?" checkbox is active in the Access area!

If you now switch to the file list module, you should already see the new file storage. If only a TYPO3 error message appears now, check again whether the checkbox for "Is online?" is active.

In the file list module, you can now create folders and upload files within the new file store as usual.

In this example, we will create a folder called test1 and upload a few files of our choice to the folder for testing.

Set directory permissions

You can now assign user groups to the previously created folder.

To do this, left-click on the folder icon and select Folder permissions in the context menu.

In the mask that now opens, you will see all available user groups in the right-hand area. You can assign one or more groups to the folder by clicking on them.

Alternatively, you can also select "Show when logged in", in which case users will see the contents of the folder regardless of which specific group they belong to.

Output of the directories in the frontend

The extension also comes with its own plugin to display a directory tree in the frontend.

Create a new content element and select the General plug-in element in the Plug-ins tab

In the content element, select the File tree item in the Plug-in tab in the selection box.

In the Storage selection box, select the newly created file storage, in our example Secure.

In the Folder selection box, select the starting point for the directory tree.

If you are logged in as a user in the frontend, you can now see the directory tree.

Links to protected files in content elements

Of course, the files are also protected from direct download if you link them in normal content elements.

As an example, create a new content element of the type Text & Media.

You can enter any text in the text field and use the link wizard to create a link to a file in the Secure file storage.

If someone now wants to call up the file in the frontend without being logged in as a frontend user, they will only receive an error message.

The extension documentation also describes how a redirection to any page can be implemented instead of the error message.

This page contains automatically translated content.

Updated: 17.07.2024