Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Uploading files into BLOB field in MySQL
Hello, I'm new to Vanilla. I've got my forum setup almost exactly how I want it. My only issue is that I need to make software installation packages available for download within the forum-- only to members of certain roles-- while preventing download by anyone else (i.e. guests or even authenticated users with the wrong RoleID). I (as the only administrator) will be the only one needing to upload files. All such files will likely be ZIPs under 2mb.
I've been back and forth through the Vanilla Add-ons, and I can't find an upload tool that allows me to prevent downloads by people who aren't logged in, provided they know the web address. Since I'm in a shared hosting environment, I only have access to web-accessible directories, which means any file I upload into the file structure is directly downloadable. I wouldn't be terribly surprised if there's some option or trick here to do what I want (perhaps with the Attachment add-on?), but if so I'm missing something.
One easy way I know of to control access to download files is to read the file data directly into a MEDIUMBLOB field in a MySQL table. I've done this before, and it's simple to code the uploader/downloader utility. My issue is tying it into Vanilla. I've had the hardest time trying to read the Vanilla session variables (simply to grab the userID!), and I've finally given up (even after pouring over every comment I could find on the subject in this community forum).
Thoughts? Suggestions? Smacks upside the head and fingers pointed toward the obvious? Anything would be appreciated! :-)
I've been back and forth through the Vanilla Add-ons, and I can't find an upload tool that allows me to prevent downloads by people who aren't logged in, provided they know the web address. Since I'm in a shared hosting environment, I only have access to web-accessible directories, which means any file I upload into the file structure is directly downloadable. I wouldn't be terribly surprised if there's some option or trick here to do what I want (perhaps with the Attachment add-on?), but if so I'm missing something.
One easy way I know of to control access to download files is to read the file data directly into a MEDIUMBLOB field in a MySQL table. I've done this before, and it's simple to code the uploader/downloader utility. My issue is tying it into Vanilla. I've had the hardest time trying to read the Vanilla session variables (simply to grab the userID!), and I've finally given up (even after pouring over every comment I could find on the subject in this community forum).
Thoughts? Suggestions? Smacks upside the head and fingers pointed toward the obvious? Anything would be appreciated! :-)
0
Comments
Handling permissions in vanilla extensions is a simple as:
if($Context->Session->User->Permission('PERMISSION_SOME_PERMISSION')){ ... }grep is your friend.
Where am I supposed to put that code? I'm afraid it doesn't mean much to me standing alone like that. I want to base the permission on RoleID.
Also, when using chmod in the past, I've found that my PHP scripts can only access files if they've got the everyone-read bit enabled, which means they're also accessible to direct download. This isn't the case if I code in ASP.NET, but that doesn't help us here. Perhaps this is a limitation of my hosting situation? Or perhaps, again, I'm missing something.
I've never worked with .htaccess before. I'm looking into it now...
grep is your friend.
I tried including a very basic .htaccess file in one of my directories, and it's being ignored. According to several tutorials I've read, a lot of hosting providers don't allow you to upload your own .htaccess files. Apparently mine is one of them.
To hit again on one of my original questions, are there any add-ons that allow for uploading files directly into MySQL? It would certainly be the simplest solution, since only those roles that can access the thread in question would be able to access the download.
Thanks for the help!
If your extensions already handle the permissions then there is no need to code anything.
What sever is it? is it apache?
If so try dropping .htaccess file bellow in the directory where the files are kept
deny from allgrep is your friend.
Again, I'm not following you on the permissions thing. Is this some sort of add-on? The only "permissions" I can play with are what comes in the "Roles & Permissions" control panel; within that, I can give a role the ability to "Add Attachments" or "Manage Attachments." That's it. I can't set access permission for any specific file. And although the file has been attached to a particular discussion, any user-- even ones in roles than cannot access that discussion-- can still download it.
For that matter, even if .htaccess were to prevent direct download of that file using "deny from all," it occurs to me that we've still got a problem. The hyperlink that's generated in the discussion (.../?PostBackAction=Download&AttachmentID=1) is completely outside of site security. Because it's a script, it can access the download file despite .htaccess, yet it completely ignores the fact that only registered, authenticated users are even allowed into the forum. So any user can just copy paste that link and post it somewhere else... which is exactly what I'm trying to prevent.
Are you asking the point of importing files into the database? It may be personal preference, but I find it quicker, cleaner, simpler. Keep it all in one place, manage it entirely with SQL. Understand, I'm not just talking about Vanilla, I'm talking in general. And it didn't take me 15 minutes to build exactly the functionality and security I needed... I just couldn't piggy-back on Vanilla's session variable in order to determine which user/role was logged in!
This has all been very frustrating...
grep is your friend.