ryancramerdesign
commented
5 years ago There is already an option for this built-in. See the $config->pagefileSecure option: https://processwire.com/api/ref/config/#api-pagefileSecure
Set it to true from your /site/config.php file and any pages that aren't viewable also won't have http accessible files unless user is logged in and has view permission to the page. Note however that it does add significant overhead for files to be protected in this manner because they have to be manually delivered by ProcessWire rather than just through Apache. Though that overhead only applies to pages that aren't viewable to guest.
On Fri, Dec 14, 2018 at 9:31 AM suntrop notifications@github.com wrote:
Short description of the enhancement
Disallow access to assets of trashed pages. Optional: Steps that explain the enhancement
- Attach a file to a page
- Trash that page
- Open the file URL and you get the file as before
Current vs. suggested behavior
Currently you can access all files of trashed pages. I think it is better to remove all access to assets of trashed pages. Why would the enhancement be useful to users?
- I think this isn't the right behaviour or expected by many. When I put something in the trash I don't want it to be available anymore.
- This can be problematic, because not everybody can empty the trash (or knows of it) and perhaps thinks the files are gone.
- Other CMS don't have files attached to pages and the user (may) know to delete files separately. In PW files are tied to pages and the user doesn't see the requirement to delete files before moving the page to the trash.
I (a client of mine) currently have a problem because if it. An editor deleted a page with a PDF, because there is some kind of lawsuit against contents on it. The page and PDF was indexed by google before. It was possible to click the indexed link to the PDF and open the it. The editor thought he removed the page/file and didn't thought there is more to do (I would have thought the same). Now there come some more legal issues with this, but those are not related to the CMS itself.
I don't know if it is a good idea, but maybe it is better to rename the asset's folder from '1234' to 'trash-1234'. I saw the page name is renamed, perhaps reuse the prefix of it to prefix the folder too. Or copy a .htaccess into the folder. Or make it a dot folder (files/.1234/).
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/processwire/processwire-requests/issues/247, or mute the thread https://github.com/notifications/unsubscribe-auth/AAUCUKUGqk88ZzOG7Eyty9UDg84BPag4ks5u47Y2gaJpZM4ZToZg .
matjazpotocnik
netcarver
Short description of the enhancement
Disallow access to assets of trashed pages.
Optional: Steps that explain the enhancement
Current vs. suggested behavior
Currently you can access all files of trashed pages. I think it is better to remove all access to assets of trashed pages.
Why would the enhancement be useful to users?
I (a client of mine) currently have a problem because if it. An editor deleted a page with a PDF, because there is some kind of lawsuit against contents on it. The page and PDF was indexed by google before. It was possible to click the indexed link to the PDF and open the it. The editor thought he removed the page/file and didn't thought there is more to do (I would have thought the same). Now there come some more legal issues with this, but those are not related to the CMS itself.
I don't know if it is a good idea, but maybe it is better to rename the asset's folder from '1234' to 'trash-1234'. I saw the page name is renamed, perhaps reuse the prefix of it to prefix the folder too. Or copy a .htaccess into the folder. Or make it a dot folder (files/.1234/).