[solved] [FC 1.5.x] secure files above DocumentRoot

Hi there,

Looks like the "Path to secure files folder" in the general settings does not accept absolute paths to directories above / outside the DocumentRoot.
If so, in which way is the "secure" option more secure than the default one? What sort of protection is actually added?
From my experience with other scripts allowing secure downloads, the only feasible method to actually prevent hot linking and keep files away from prying eyes is by placing the files above the DocumentRoot.

For intra and extranets where highly confidential data is moved, any solution which does not contemplate what i have just described might be delusional and compromising.

An explanation and possible workarounds would be much welcome.

This is an outstanding issue we are willing to address ourselves.
Would be interesting to add this to the dev branch once we finish it.

cool thanks for devellopping for this project
regards

Hello!

Did this development take place? Is it now possible to store files outside the joomla directory? Thanks.

i didn't think ... :oops:

The download field plugin:
(a) checks access level of the user before it allows downloading, and
(b) also does not reveal the location of the file (it can reveal the filename if you allow),

So you can do these:

1. change secure folder in Global config
2. rename folder via ftp
3. -optionally- you could also add an .htaccess file with password inside the folder

you are done,
people will never know the real location of the file, and if they do find URL in some way, they will not be able to download it, because it is protected by the web server.

I guess we could automate the above 3 steps, randomizing the folder name and adding an .htaccess in the folder with some random password (will work for apache servers only)