$config->pagefileSecure shows files of trashed pages to guests

[gebeer]

Short description of the issue

with $config->pagefileSecure set to true, files of trashed pages are still accessible to guest users

Expected behavior

Links to files of trashed pages should result in 404

Actual behavior

files of trashed pages are still accessible to guest users

Steps to reproduce the issue

1. create a page that has a PDF file attached and shows a Link to that file in the frontend for download
2. keep track of the URL for that download
3. trash the page
4. access the URL from setp 2 as guest user

Setup/Environment

• ProcessWire version: 3.0.229
• (Optional) PHP version: 7.4
• (Optional) Any 3rd party modules that are installed and could be related to the issue: none that I can think of

[ryancramerdesign]

@gebeer I wasn't able to duplicate this. With pagefileSecure enabled, I created a page and uploaded a file. Viewed the file and copied the URL. Then trashed the page. Opened an Incognito window (i.e. guest user) and accessing the file URL gave me a 404.

However, If I previously viewed the file with guest user, it did initially load the file even after the page was trashed. But it was because of browser cache. Viewing with cache disabled or hitting reload on the image gave a 404.

Something to check is on your file system /site/assets/files/1234/ where 1234 is the page ID. When a file is blocked (such as when page in trash) the directory has a leading dash, i.e. "-1234" rather than "1234". If you find it's not the case, and pagefileSecure was enabled prior to the file being placed in the trash, then let me know, as it's always possible there's more conditions involved to reproduce.

[gebeer]

and pagefileSecure was enabled prior to the file being placed in the trash,

Thank you @ryancramerdesign for looking into this. The config setting was put in place after the fact. So that explains the behaviour. I couldn't find that requirement documented anywhere when doing a search prior to posting this issue. Done a search again which pulled up this forum thread https://processwire.com/talk/topic/15646-how-does-pagefilesecure-work/ where it is mentioned that files are only protected after the config setting is in place.

Maybe you could add that information to the entry for $config->pagefileSecure at https://processwire.com/api/ref/config/

[ryancramerdesign]

Sounds good, I will add that. Thanks.

On Fri, Apr 19, 2024 at 9:19 PM gebeer @.***> wrote:

and pagefileSecure was enabled prior to the file being placed in the trash,

Thank you @ryancramerdesign https://github.com/ryancramerdesign for looking into this. The config setting was put in place after the fact. So that explains the behaviour. I couldn't find that requirement documented anywhere when doing a search prior to posting this issue. Done a search again which pulled up this forum thread https://processwire.com/talk/topic/15646-how-does-pagefilesecure-work/ where it is mentioned that files are only protected after the config setting is in place.

Maybe you could add that information to the entry for $config->pagefileSecure at https://processwire.com/api/ref/config/

— Reply to this email directly, view it on GitHub https://github.com/processwire/processwire-issues/issues/1911#issuecomment-2067498335, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACQEUC4TNGCJUZDLOUJRTTY6G7CTAVCNFSM6AAAAABGO6JSPKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANRXGQ4TQMZTGU . You are receiving this because you were mentioned.Message ID: @.***>