Document Protection for Members Area in Revo

Hi, I've set up a members-only area on a Revo 2.0 site and created a page which will have links to downloadable documents of various kinds. Only members should be able to download these.

However, it's possible for people to override the resource protection by just browsing directly to the folder where the documents are held: /content/files/members-files

I tried creating a .htaccess to put into this folder with the following:

Order allow,deny
Deny from all

But this stops even members from downloading the files.

I also heard about a FileDownload snippet ("Pirate edition", which didn't fill me with confidence) but this appears to be Evo only.

Anyone know how I can allow members to download their files but stop non-members from browsing to them and downloading them?

In Revolution.we create a Static Resource (http://rtfm.modx.com/display/revolution20/Static+Resource), the alias of which will be seen by the browser, and we place this static resource in the appropriate Resource group. We save it, and then we edit it and point it to the file.

To add additional content types, you can do so under System/Content types.

http://rtfm.modx.com/display/revolution20/Content+Types

Under Settings you'll need to set your Content type to the correct type of file (it will add the extension automatically to the alias).

So for example we'd create a container document called: boardmembers
Under that we'd create a series of Static Resources for each file so if it was team.doc the url would be: site.com/boardmembers/team.doc. The alias for the static resource would simply be team.

If you go to that when not logged in and it is locked out by belonging to a resource group, a user won't be able to download the document. When you are logged in you'll be able to download the document. You have to use the Static Resource field to point to the actual document.

So presumably, if we have site.com/boardmembers/team.doc as a resource url and we also put the actual team.doc document in a physical folder of the exact same name maybe then MODX would override the physical folder thus protecting it.

Oh gosh... Now I'm confused.

Is the container document published? Can it be viewed by anyone? Does it have content (links) to the documents? FileLister?

Oh boy... Well, I gotta do this exact thing very soon (now) so I'm in with any and all help here.

I need standard pages viewable, plus file downloads viewable and selectable by specific users/groups.

Okay, but the file would still be in a physical location as well as the Static Resourxce location, wouldn't it?

In terms of the MODx backend it would be in site/container/file

But it would still need to be uploaded to a physical location, and the physical location wouldn't be protected....

@Frogabog, this is partly my problem- and I don't see that adding the doc as a static resource in a password-protected (members only) area actually works in terms of the site physical structure- as the file still needs to be uploaded and needs to be sitting somewhere physically (e.g /content/files/members-files)...

...so I don't know...

Actually I have been told by my programmer that this won't work.

What you have to do is put the files in another folder, something oddly named for example:

/yEjy87uiakdja089kj5599i

Put your files into that folder.
Use a static resource to point to the file in this folder.
We are then going to try to put an .htaccess that tells Apache to deny all so that Apache won't serve up the page, but MODX, because it's not a URL but will go through the files system, it should serve it up through the alias.

Couldn't the static resource be just about anywhere? Maybe a subdirectory at the root? I wonder if .htaccess could hide the actual location, so that when it's typed in manually it goes nowhere?

FWIW - I learned something yesterday... don't name subdirectories at the root or install level that have the same name as a resource with FURL's activated. MODX gets lost trying to find yourSite.com/pageName and can't connect to the database. I had an old wp install with the same name as new articles container - doh! It still wonked after removing wp because the directory was still there.

Yes, I originally tried using .htaccess in the folder. It certainly denied access via browsing the filesystem externally, but it also stopped access and downloading via the members page (it caused a redirect to my MODx 404)...

So you give the static resource in the /yEjy87uiakdja089kj5599i directory a unique alias then, right? Not the page name of the static resource.



rx2 - Would you be so kind as to provide some .htaccess examples please?

As far as I can tell (and from what happened when I tried using a .htaccess in the physical folder) the Apache permissions override anything MODx does, so even logged-in members can't download the document inside that physical folder. I'm not aware of any way around it- in fact MODx and Apache permissions is a pain, one time in order to create a simple htaccess-protected folder for another project, I had to set up the files and docs on a subdomain of the MODx-based domain, so that there wasn't a conflict.