bugs unauthorized users access pdf files knowing the link

Please report bugs and any annoyances here. Kindly include all possible details: steps to reproduce, expected result, actual result, screenshots, ... etc.
User avatar
onoehring
AppGini Super Hero
AppGini Super Hero
Posts: 1156
Joined: 2019-05-21 22:42
Location: Germany
Contact:

Re: bugs unauthorized users access pdf files knowing the link

Post by onoehring » 2022-05-06 10:06

Hi facos,

I just saw your posting by accident.
as this thread holds actually more than one solution, maybe you could exactly pinpoint which solution you are using - thus which one is not working (anymore for you).
The last solution is using standard AG libraries and login-check. If the script IS broken, I suppose it should be quite easy to fix as the rest is very simple and does not reply on AG but Apache and basic htaccess.

Olaf

facos79
Veteran Member
Posts: 115
Joined: 2014-10-29 12:31

Re: bugs unauthorized users access pdf files knowing the link

Post by facos79 » 2022-05-07 14:05

Hello,
the solution that no longer works is the following:

Code: Select all

RewriteEngine on
RewriteRule .* protect.php
e

Code: Select all

<?php

	define('PREPEND_PATH', '../');
	$hooks_dir = dirname(__FILE__);
	include("$hooks_dir/../defaultLang.php");
	include("$hooks_dir/../language.php");
	include("$hooks_dir/../lib.php");
	
	/* grant access to the groups 'Admins' and 'Other'*/
	$mi = getMemberInfo();
	if(!in_array($mi['group'], array('Admins', 'Other'))){
		header("location: /");
		exit;
	} else {
        //Check if user has right to access the file. If no, show access denied and exit the script.
        $path = $_SERVER['REQUEST_URI'];
        $paths = explode('/', $path);
        $lastIndex = count($paths) - 1;
        $fileName = $paths[$lastIndex];
        header('Content-type: application/pdf');
        header("Content-Disposition: inline; filename=$fileName");
        readfile($fileName);
    }
I think that, nowadays, appgini should protect themselves without additional codes all the folders where photos and documents are saved. The function is essential for the apps created to be safe. Unfortunately, those who do not know how to program rely on software as appgini to be able to realize what would be impossible to achieve. The safety of the finished product is essential. In this case the folder containing the uploads can be accessed by knowing the download link. It should be blocked from unwanted access and above all from access by users who are not logged in.
I find Appgini to be great software and I hope a security solution will be integrated in the future.

User avatar
onoehring
AppGini Super Hero
AppGini Super Hero
Posts: 1156
Joined: 2019-05-21 22:42
Location: Germany
Contact:

Re: bugs unauthorized users access pdf files knowing the link

Post by onoehring » 2022-05-08 09:00

Hi,

maybe your provider changed something (Apache version). Try the other .htaccess which I have shown here (this thread): viewtopic.php?f=11&t=2856#p15242
Maybe this does the trick already.

Also it might help to see what happens internally so, why the permissions check fails. You should try to enable php error reporting. Just google how to do it (example: https://phoenixnap.com/kb/php-error-reporting ). Afterwards access a file in the "protected" folder and see if any errors occur.

Olaf

AhmedBR
AppGini Super Hero
AppGini Super Hero
Posts: 327
Joined: 2013-09-19 10:23

Re: bugs unauthorized users access pdf files knowing the link

Post by AhmedBR » 2022-07-31 12:31

PHP 7.4 it works, everything seems to work very well with 7.4
Seems I am stuck with 7.4 for a while, protecting files is essential.

PHP 8.1.4 does not work, 8.0+ is giving me headaches!
AppGini 22.14 - xampp 3.3.0 - PHP 7.4.30 - Summary reports - Calendar - Mass update - Messages - AppGiniHelper

SkayyHH
Veteran Member
Posts: 425
Joined: 2015-04-27 21:18

Re: bugs unauthorized users access pdf files knowing the link

Post by SkayyHH » 2023-02-04 00:25

Hi,

it doesn't work for me anymore with a newer PHP version either.

Does anyone have another solution to protect the directory with the documents?

Thank you very much,

Kai

Post Reply