Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Uploading files into BLOB field in MySQL

edited March 2009 in Vanilla 1.0 Help
Hello, I'm new to Vanilla. I've got my forum setup almost exactly how I want it. My only issue is that I need to make software installation packages available for download within the forum-- only to members of certain roles-- while preventing download by anyone else (i.e. guests or even authenticated users with the wrong RoleID). I (as the only administrator) will be the only one needing to upload files. All such files will likely be ZIPs under 2mb.

I've been back and forth through the Vanilla Add-ons, and I can't find an upload tool that allows me to prevent downloads by people who aren't logged in, provided they know the web address. Since I'm in a shared hosting environment, I only have access to web-accessible directories, which means any file I upload into the file structure is directly downloadable. I wouldn't be terribly surprised if there's some option or trick here to do what I want (perhaps with the Attachment add-on?), but if so I'm missing something.

One easy way I know of to control access to download files is to read the file data directly into a MEDIUMBLOB field in a MySQL table. I've done this before, and it's simple to code the uploader/downloader utility. My issue is tying it into Vanilla. I've had the hardest time trying to read the Vanilla session variables (simply to grab the userID!), and I've finally given up (even after pouring over every comment I could find on the subject in this community forum).

Thoughts? Suggestions? Smacks upside the head and fingers pointed toward the obvious? Anything would be appreciated! :-)

Comments

  • x00x00 MVP
    edited March 2009
    bobaran
    I've been back and forth through the Vanilla Add-ons, and I can't find an upload tool that allows me to prevent downloads by people who aren't logged in, provided they know the web address. Since I'm in a shared hosting environment, I only have access to web-accessible directories, which means any file I upload into the file structure is directly downloadable. I wouldn't be terribly surprised if there's some option or trick here to do what I want (perhaps with the Attachment add-on?), but if so I'm missing something.
    This is incorrect. Even with shared hosting you can prevent access to a directory via .htaccess. This applies to apache but other severs have their way of doing things. You also have the file system permissions (chmod) If your sever is truly completely open, (which I highly doubt) you really need to change hosts ASAP.

    Handling permissions in vanilla extensions is a simple as:

    if($Context->Session->User->Permission('PERMISSION_SOME_PERMISSION')){ ... }

    grep is your friend.

  • Thanks for the response!

    Where am I supposed to put that code? I'm afraid it doesn't mean much to me standing alone like that. I want to base the permission on RoleID.

    Also, when using chmod in the past, I've found that my PHP scripts can only access files if they've got the everyone-read bit enabled, which means they're also accessible to direct download. This isn't the case if I code in ASP.NET, but that doesn't help us here. Perhaps this is a limitation of my hosting situation? Or perhaps, again, I'm missing something.

    I've never worked with .htaccess before. I'm looking into it now...
  • The correct way is to create a permission for the roles and apply this. You can check the roles directly aswell.

    grep is your friend.

  • Again, I'm new to Vanilla. When you say "create a permission for the roles," it doesn't mean anything to me. Are we talking about code here? Is this an add-on of some sort? Because I'm not seeing anything about custom permissions in the main installation of Vanilla.

    I tried including a very basic .htaccess file in one of my directories, and it's being ignored. According to several tutorials I've read, a lot of hosting providers don't allow you to upload your own .htaccess files. Apparently mine is one of them.

    To hit again on one of my original questions, are there any add-ons that allow for uploading files directly into MySQL? It would certainly be the simplest solution, since only those roles that can access the thread in question would be able to access the download.

    Thanks for the help!
  • probably not because there is no point.

    If your extensions already handle the permissions then there is no need to code anything.

    What sever is it? is it apache?

    If so try dropping .htaccess file bellow in the directory where the files are kept
    deny from all

    grep is your friend.

  • Yep, that's exactly what I did. No joy. So I guess my hosting provider prevents use of .htaccess files. I've got an email in to them about that, but we'll see if they're willing to bend.

    Again, I'm not following you on the permissions thing. Is this some sort of add-on? The only "permissions" I can play with are what comes in the "Roles & Permissions" control panel; within that, I can give a role the ability to "Add Attachments" or "Manage Attachments." That's it. I can't set access permission for any specific file. And although the file has been attached to a particular discussion, any user-- even ones in roles than cannot access that discussion-- can still download it.

    For that matter, even if .htaccess were to prevent direct download of that file using "deny from all," it occurs to me that we've still got a problem. The hyperlink that's generated in the discussion (.../?PostBackAction=Download&AttachmentID=1) is completely outside of site security. Because it's a script, it can access the download file despite .htaccess, yet it completely ignores the fact that only registered, authenticated users are even allowed into the forum. So any user can just copy paste that link and post it somewhere else... which is exactly what I'm trying to prevent.

    Are you asking the point of importing files into the database? It may be personal preference, but I find it quicker, cleaner, simpler. Keep it all in one place, manage it entirely with SQL. Understand, I'm not just talking about Vanilla, I'm talking in general. And it didn't take me 15 minutes to build exactly the functionality and security I needed... I just couldn't piggy-back on Vanilla's session variable in order to determine which user/role was logged in!

    This has all been very frustrating...
  • Well I didn't write the attachment extension, but if there have permissions it is odd they don't enforce them for the script. They can check the user session. Which extension are you using?

    grep is your friend.

Sign In or Register to comment.