er314
commented
2 years ago This would really be awesome (to me :-) : strict access control to file assets exactly where needed, and no performance impact elsewhere. An opinion about the feasibility ?
Open er314 opened 2 years ago
er314
commented
2 years ago This would really be awesome (to me :-) : strict access control to file assets exactly where needed, and no performance impact elsewhere. An opinion about the feasibility ?
er314
commented
2 years ago Any feedback on this ? This would be awesome, and this would bring comprehensiveness & consistency in terms of access control : fine-grained down to field-level, whatever the access control method.
er314
commented
1 year ago up ! an aknowledgement of reading, in the form of a polite "no, it's not in the roadmap", would be greatly appreciated ! 😁 so I can move forward to an alternate solution, with the assurance that the best solution will not eventually come afterwards.
er314
commented
1 year ago For the record (as I myself had forgotten), here is Ryan's answer, done on PW forums in sept. 2022, regarding this feature request :
Yes, I think that's a good suggestion. Whether we can implement in the future I'm not so sure yet because files for a page are all stored in the same directory that doesn't have separate secure vs. open files. Either the entire directory is secured or it is not, which is why the entire page has secure files or does not (based on template setting). Most likely we'd get around that by using some prefix on the secure files that makes them inaccessible to Apache, such as a leading period (or hyphen, like it does for directories). I would say that for the short term, if there's a module that already has the capability it would probably be better to use that for now. (And maybe a separate file Fieldtype for this purpose is a good way to go either way). For long term I do think there's a good possibility we'll also have field-level access control for files in the core, but don't know if we'd solve it in the same way (Fieldtype module) or integrate into the existing files field.
Short description of the enhancement
The existing capability to enforce access control on file assets at template level ("yes always" mode) is a great feature. This was described in your post : https://processwire.com/talk/topic/24217-weekly-update-%E2%80%93-28-august-2020/
I see a possible improvement to this mechanism. It's only a performance improvement. Let's illustrate it : In my opinion, the main use case for the enforcement of access control on file assets is for some very specific fields, for example a given File field on a given template, where this file has strong confidentiality constraint. On ther other hand, the images fields on this template don't have any specific confidentiality constraints. So the use case is : For a given template, all file assets (including images) don't need access control enforcement (so these assets can be delivered directly by Apache), EXCEPT one field which needs access control enforcement. With this use case, the best performance would be obtained if we could do the following :
.b. is the capability which doesn't exist yet. Does it make sense ?