Non-authenticated users able to access files (pdf's, docs, etc) if they have the link

This is an open forum for any mojoPortal topics that don't fall into the other categories.

This thread is closed to new posts. You must sign in to post in the forums.
2/4/2015 5:17:53 AM
Gravatar
Total Posts 5

Non-authenticated users able to access files (pdf's, docs, etc) if they have the link

We have enforced access to our website to be restricted to atleast authenticated users only. The problem is users that do a google search or already have the links to the files can still access these documents. How can we prevent access to these files unless the users are logged on only?

Is this possible?

 

2/4/2015 9:39:40 AM
Gravatar
Total Posts 18439

Re: Non-authenticated users able to access files (pdf's, docs, etc) if they have the link

you can add a minimal Web.config (not a copy of the main one) file in the folder containing the files and use the authorization element.

I suggest google for "iis web.config protect static files by role" or variations of those terms

one example answer from stackoverflow is here

note that once you protect a folder, google will not be able to index those files so they should drop out of search results over time

2/4/2015 1:16:27 PM
Gravatar
Total Posts 1200
Proud member of the mojoPortal team

Help support mojoPortal!
Add-on modules

Re: Non-authenticated users able to access files (pdf's, docs, etc) if they have the link

Here is a stub web.config file that worked in my testing under IIS 7.5 (Windows Server 2012). I placed it in the media folder of my test site, and it successfully protected all of the files in or below media from users not in the listed roles.

The nice thing about this is that it works just as you'd want it to. When you make a request to a file in a protected folder, and you're not signed in, then you are redirected to the mojoPortal login page for the site. If you authenticate successfully, and are in the listed roles, then you'll be served the requested file immediately.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
   <location inheritInChildApplications="true">
      <system.web>
          <authorization>
              <allow roles="role1, role2" />
              <deny users="*" />
          </authorization>
      </system.web>
   </location>
</configuration>

Edit: Sorry, I had deny users="?", and it needs to be deny users="*" to only allow particular roles.

2/5/2015 3:58:17 AM
Gravatar
Total Posts 5

Re: Non-authenticated users able to access files (pdf's, docs, etc) if they have the link

This worked perfectly! Thank you very much!

You must sign in to post in the forums. This thread is closed to new posts.