Cyclone3 Skin

Set up secured file download

From Cyclone3 Wiki

This page explains how to set up Cyclone3 private file downloads only for specified users with a valid login and password, excluding everyone else. There's a few steps you need to make:

Administration part

Add this line to your .htaccess file, located in !www subfolder of your web service.

RewriteRule ^download.pl download.pl [E=HTTP_AUTHORIZATION:%{HTTP:AUTHORIZATION},L,QSA]

Create a copy of download.pl script in the same directory and apply tom3-chfiles to reset its user rights. You also want to delete the download.tom file from the same directory to avoid users being able to override the secured download by changing the link from download.pl to download.tom in their browser.

Webdesign part

Check all module templates for file links that contain download.tom and change it to download.pl. For articles and other texts, the only thing to do is to change download script extension in the templates for native inline file links:

<DEFINITION id="link.a542_file">
<a class="link_<%db_file_ext%>" title="Prevziaҕ <%db_name%> (<%db_file_size.mb%>MB)"  href="<$tom::H_www>/download.pl?hash=<%db_hash_secure%>&ID=<%db_ID_file%>">
</DEFINITION>

XUL CMS part

The best way is to set up a new group of users, let's name it download. Open the group's properties, select the permissions tab, right click the table and choose Add from the context menu. Select the XULadmin files addon and click Select. Select the checkbox in the R column, and deselect the W one. This will enable the users in this group to download files. Close the group editor.

Create a new user and link him to the download group using his context menu. You need to specify a login and password and of course, activate the user.

Now you're all set, you can set specific files to secured status by clicking the file's Private column field. There's a little gray figure by default, which becomes red after clicking. The red figure means that the file can't be downloaded, unless the user provides a valid user/password.

Now the last part - specify the usergroup, which can download the file. Right click the file, select System tab, right click the ACL roles table, choose Add user group, select the download group you have created above, and enable read rights by clicking the R column checkbox.

You're done, now, the file can't be downloaded by anyone, except a valid user in the download group.