Closed gebeer closed 5 months ago
@gebeer I wasn't able to duplicate this. With pagefileSecure enabled, I created a page and uploaded a file. Viewed the file and copied the URL. Then trashed the page. Opened an Incognito window (i.e. guest user) and accessing the file URL gave me a 404.
However, If I previously viewed the file with guest user, it did initially load the file even after the page was trashed. But it was because of browser cache. Viewing with cache disabled or hitting reload on the image gave a 404.
Something to check is on your file system /site/assets/files/1234/
where 1234 is the page ID. When a file is blocked (such as when page in trash) the directory has a leading dash, i.e. "-1234" rather than "1234". If you find it's not the case, and pagefileSecure was enabled prior to the file being placed in the trash, then let me know, as it's always possible there's more conditions involved to reproduce.
and pagefileSecure was enabled prior to the file being placed in the trash,
Thank you @ryancramerdesign for looking into this. The config setting was put in place after the fact. So that explains the behaviour. I couldn't find that requirement documented anywhere when doing a search prior to posting this issue. Done a search again which pulled up this forum thread https://processwire.com/talk/topic/15646-how-does-pagefilesecure-work/ where it is mentioned that files are only protected after the config setting is in place.
Maybe you could add that information to the entry for $config->pagefileSecure
at https://processwire.com/api/ref/config/
Sounds good, I will add that. Thanks.
On Fri, Apr 19, 2024 at 9:19 PM gebeer @.***> wrote:
and pagefileSecure was enabled prior to the file being placed in the trash,
Thank you @ryancramerdesign https://github.com/ryancramerdesign for looking into this. The config setting was put in place after the fact. So that explains the behaviour. I couldn't find that requirement documented anywhere when doing a search prior to posting this issue. Done a search again which pulled up this forum thread https://processwire.com/talk/topic/15646-how-does-pagefilesecure-work/ where it is mentioned that files are only protected after the config setting is in place.
Maybe you could add that information to the entry for $config->pagefileSecure at https://processwire.com/api/ref/config/
— Reply to this email directly, view it on GitHub https://github.com/processwire/processwire-issues/issues/1911#issuecomment-2067498335, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACQEUC4TNGCJUZDLOUJRTTY6G7CTAVCNFSM6AAAAABGO6JSPKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANRXGQ4TQMZTGU . You are receiving this because you were mentioned.Message ID: @.***>
Short description of the issue
with $config->pagefileSecure set to true, files of trashed pages are still accessible to guest users
Expected behavior
Links to files of trashed pages should result in 404
Actual behavior
files of trashed pages are still accessible to guest users
Steps to reproduce the issue
Setup/Environment