I'm working on some site that all links (dynamic + hard-coded) to media library are permanent links (with getmedia...), which made it so hard to locate the exact folder of the files and update them. I've asked some developer and heard that permanent links are more secure as the system can check who have access to download the materials. Is it a fair statement and why/why not? Thanks for your input!
This is not a fair or correct statement. Access is set at the individual medial library directory, not an individual file level.
For example, if you have an Images media library which has no security behind it, you can access it directly with a URL of:
/site/media/images/logo.png or /getmedia/<guid>/logo.png
and the image will display without issue.
Now you have another media library called "Secure_Files", if you attempt to access:
/site/media/secure_files/file1.pdf
You'll get an error or a login page because the security is set on the
/site/media/secure_files directory.
Here is the documentation on securing media libraries.
By default, Kentico does not check the See library content permission for visitors on the live site. If you wish to require users to have this permission to view media library content, you need to enable the following settings in the Content -> Media category of the Settings application:
Use permanent URLs
Check file permissions
See the note at the very bottom of this documentation page.
Permanent Link is made up of:
/getmedia/
Guid ID
Image Path
.aspx
Eg: /getmedia/C73B5-6A0-4F6-878-3C29D792014/IMG_3860.jpg.aspx
Direct Path is made up of:
/
Site Name
Media Library Folder Name
Image Path
Eg: /google/media/Blog-images-from-Kentico-Cloud/IMG_360.jpg
Related
I am customizing share point modern site. when iam uploading css file in styles library its showing deneid message but i am site owner andenter image description here i have full control right also.
Have you checked you permission in the style library? And also ensure custom script has been enabled in the current tenant.
is it possible to allow read access only to the media library? I'm setting a role and with the Media Library module, I've only set the Read permission to Allow, but a user with that role still sees the upload button. Am I looking at the wrong module?
If you go to the specific Media Library and then edit.
Then you will see the list of files within the media library.
On the left-hand side, there will be '...', hover over this and then click on Security.
Here you can specify which role you want to perform what action in that specific Media Library.
Did you configure Permissions and UI Personalization?
So in this case, I removed access to the media library. It forces editors to add images as attachments, which was my end goal. Reason being, sync only works with published content, and won't migrate files from one server to another.
We know we can stop search engines from indexing directories on our site using robots.txt.
But this of course has the disadvantage of actually publicising directories we don't want found to possible attackers.
Password protecting the directory using .htaccess or other means is obviously the best way to keep the directory private.
But what if, for reasons of convenience, we didn't want to add another layer of security to the directory and just wanted to add another level of obfuscation? To hide, for example, an admin login page.
Is there another way to "hide" the directory without broadcasting its location in a robots.txt file?
Here is what to do, please note as you haven't mentioned any particular technology I haven't included how to do it.
If you configure your web server to output the following meta tag in the directory listing HTML page, it will prevent your page from being indexed by compliant search engines.
<meta name="robots" content="noindex">
Adding this would probably require implementing a custom module within your web server that will override the default directory listing output page.
Try using a random string. Something like http://website.com/some-random-string-here/file.html
The remember not use some-random-string-here in your robots.txt file or on any links.
Is there a way I can add a local path/link to sharepoint2010 so when my team clicks on that link, it takes them to the shared drive specified in the path? I have tried the links in sharepoint but it does not accept it because the link must start with http. However, the link I want to share is for local shared folder (e.g., D:\Test\Evaluation). Any idea??
Thanks,
In addition to file:/// be sure to use the UNC form of the server/folder path, like
file:///\\servername\toplevelfolder\subfolder\
You have to add "file:///" in front of the shared drive path so SharePoint 2010 can accept it
Our solution is specifically for a SharePoint 2010 Links list which only allows http:// links. If you want to be able to use a file:// location rather than an http:// location, you'll need to use JQuery. Follow the instructions here:
http://www.sharepointindepth.com/change-hyperlink-field-value-from-http-to-file-on-a-sharepoint-form/
I'm relatively new to dotnetnuke and am trying to set up a simple site which will have multiple user groups with their own set of files and then another user that has access to all files.
I'm currently playing with doing this with the "documents" module and hiding the module from all but the everything user and the specific company user. This works fine but the security seems to be just security by obscurity.
If I log in as User A and get access to file A and copy its url. I then log out and log in as user B who can't see that file. If I then put the file url into the browser it seems to download fine.
Can anybody tell me if I am doign something wrong or is there no actual user based security on file downloads? I've tried goign to the actual file manager and making the directories explicitly not viewable to user B (they are secure directories too) but still it persists. Am I missing a permissions option at the file level somewhere or is the security designed to just prevent you finding the right links to the files? I'll admit the links aren't guessable (no sequential ids in the url or anything silly like that) but I'm still a little uncomfortable with the security working like this...
DNN FileManager Module
Hi Chris,
Please check out the FileManager module per above link. You are correct that the current FileManager module does not allow access per user roles. You might check Snowcovered for possible substitutes?
It seems that I was doing something wrong. I was referencing a different version of the file which didn't have any permissions attached to it. It seems also that I don't need to have multiple documents modules since if a file doesn't have read permission it will just be hidden in the list.
So to summarise the DNN Documents module will do role based security to prevent unauthorised users from downloading the file and from seeing it in the documents view.
Documents module provides security for LinkClick.aspx urls that are routed to ASP.NET.
If the actual files reside in the file system under the site's root folder, direct urls to these files are served and secured by IIS.
To prevent unauthorized access to direct urls you can disable anonymous authentication and set up Basic authentication with NTFS permissions, for example.
If don't want to touch IIS and administer Windows accounts, you can't store the files directly under any publicly available IIS folder. Security at the ASP.NET application-level is implemented using file encryption or storing the files outside the public IIS folders, like in the database. DNN File Manager offers both of these options: secure folders in the file system and secure folders in the database.
There are also 3rd party modules to manage file security and sharing, like NukeTransfer.