Document Protection for Members Area in Revo

I'm waiting for .htaccess sample. I have no idea.

No, the funny named directory is just where you put your files.
The Static Resource is a resource in MODX that you can put anywhere in the tree and the alias will be whatever alias you assign to it, but it is different than where you put the file so that people have no idea where the real file is. This at least hides where the file actually is.

Within the Static Resource itself, you point to file using the Static Resource Field in the Content tab.

Someone will come along with the answer. Not like this hasn't been encountered before, can't possibly be.

Wish I had a popcorn eating sitting back watching smilie thing to insert here...

Ok so I got it to work.

I made a folder where I place all my secured documents. For the test I called it ruby.
In that folder I placed a file called test.doc.
I then placed a .htaccess file with the following command:



in the same folder.

When i went to the site, ie. http://site.com/ruby/test.doc I got an Access Denied error as expected.

In MODX i made a resource with empty for template and called it Documents with an alias of doc.
I made the resource a container, published it, and saved it.

I created a new Static Resource (right-clicked Documents and clicked Create -> Create Static Resource Here) under the Documents container. I selected empty for a template (which seems then take away the Static Resource field). I gave the document a name of Test and an alias of test. I went to the Settings tab and noted that I hadn't yet created the applicable Content Type. So I saved the document.

I went to System/Content Types and added a Word content type. I called it Word, with a mime type of application/msword and an extension of .doc and saved it. It's probably a great idea to input all the content types you are using now.

I went back to the Static Resource document I'd created earlier. In the Static Resource tab, I pointed the Static Resource field to my document (ruby/test.doc).

I went to the Settings tab and selected Word as a content type. I placed the document in a Resource Group (called members incidentally). I saved the document.

I went to the site and logged in with a user who has access to the members resource group and went to the url: http://site.com/doc/test.doc.

I got the file. I confirmed I cannot get to this file if I am not logged in via direct URL and even when logged in I cannot get to where the file actually is, at /ruby/test.doc.

Very nice! Thank you. Now to test and find out what kind of files she's going to be serving.

Is there anything else special in the .htaccess file? I assume MODX FURL section of .htaccess remains?

I'm a little stuck on permissions. Doe this kind of user have Load, List and View for all Context, Resource, and Media Source Access Policies?

If I wanted a user to only be able to view the pages where the documents are listed , Load, List, and View is too much, right? (you didn't specify how you're listing documents for down, load. FileLister? And In what page do you plan to list them? Not the container document, correct? The container is being used here as a dummy... ??

I'm looking at a site where some users would have more permissions than others, based on real life permissions. A potential user (student evaluating a program) would need to be able to see the files available. Ideally this page serves both the list for the members who have access, and for potential users.


Thanks again for all your help.

This is just a new .htaccess file in that folder. I don't know enough about Apache to know if anything else is needed. This just tells apache don't serve up anything from this folder. You don't need to modify the .htaccess file in the root folder.

The Static Resources are just like any other resource and can be part of a Wayfinder call for example. Links to them can be in any document in the site, though ideally they'd only appear in a document that is in the same resource group.

I'm no permissions expert but in my case I have Load, List, and View for the members User Group for the web context and for the Members Resource Group. If you have more contexts, you'd have to add them Context Access tab. Haven't played much with Media Sources.

I might be missing something here but I also need to create a secure Partners area for a client that contains a number of downloadable docs. My approach is (was) to make the clientsite.com/partners a members only section. Partners could only access this section on the site if they registered first.

Are you saying that this solution would not work for you?

That solution works. What we are also talking about is securing the documents themselves if someone knows the direct path to the documents, such as site.com/docs/document.doc and puts that in the URL space of the browser directly.

Guys - try this MODX extra. Tried it here and it protects the docs from hotlinking
http://rtfm.modx.com/display/ADDON/FileDownload+R.FileDownload

Static resources can be linked to files outside of the web root, so they can't be directly accessed from a browser.