Protect media source directory?

I have a set of Member Only pages which has been working just fine for quite a while. However it has been noticed that the file path to the documents on the Member Only pages are still accessible to anyone who might know the path.
Is there any way I can secure the Member Only directory and sub directories containing all uploads?
There are quite a number of docs on one Member resource so using static resources isn’t really an option as discussed here


1 Like

The most ironclad solution would be to move the files above the web root. Once you do that, there’s no way they can be accessed by browser.

You could also create an .htaccess file (assuming you’re not on an nginx server) in the parent directory of the files with this code:

Order allow, deny
Deny from all

Finally, if the directory name is unique, you could put this in your root .htaccess file (again, assuming you’re not on an nginx server):

# Deny access to sub directory
<Files subdirectoryname/*>
    deny from all

The last one may depend on what else in in your .htaccess file.

It’s best to back up and edit any .htaccess files in cPanel’s File Manager or the equivalent (not in the MODX Files section), because any error can bring the site down and you’ll want to fix it fast.

There’s more information on .htaccess files in the series of articles here.

1 Like

@bobray - You have once again come to the rescue!
I’ve enabled the following .htaccess on a test site and it seems to be working. I can no longer access the files within that directory if I am not logged in…

    Order allow, deny
    Deny from all

Thank you so much.
And thanks for your guide on .htaccess, i’ll have a proper read later on.

1 Like

OK i can reach the page but am unable to download the docs that have been uploaded to the page.
Any way around this?

1 Like

I’ve found a tutorial about how to do something similar but with Wordpress so i don’t know if this can be updated for MODx use?
The .htaccess is:
< IfModule mod_rewrite.c >
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} ^.*(zip)$
RewriteCond %{HTTP_COOKIE} !^.wordpress_logged_in.$ [NC]
RewriteRule . /members-downloads [R,L]
< /IfModule >

I also found this answer but don’t know PHP so any help to get it working with MODx will be most appreciated.

if( !empty( $_GET['pdf_name'] ) ) {

 // check if user is logged    
 if( is_user_logged_in() ) {

    $proxiedDirectory   = "{$_SERVER['DOCUMENT_ROOT']}/xxxx/";
    $filename           = $_GET['pdf_name'];
    $file               = $proxiedDirectory.$filename.'.pdf';
    $basename           = basename($file);

    if( file_exists($file) ){
        $fp = fopen($file, 'rb');

        header("Content-Type: application/pdf", true, 200); //May need to determine mime type somehow
        header("Content-Disposition: attachment; filename={$basename}");
        header('Cache-Control: public');


} else { die( "ERROR: you don't have permissions to download it." );}
1 Like

When you change the media source, you have to change your links, have you changed those yet? I am assuming you had links to the files on a page…

I’ve been hoping to do this myself, when you change the media source then any existing links will no longer work. They have to be updated to the new path.

However, once the path is changed I believe you should be able to download/access those files, if logged in

@nuan88 I was hoping to not have to change the media source

1 Like

But haven’t you now protected your media source…you didn’t move it?

The fact that you need to allow downloads complicates things.

Something like the FileDownload R extra should do the trick.

It shows links to downloadable files, but the links don’t contain the actual path to the files. As long as you put the files in a save place and put the FileDownloadR tag on a page that only authorized users can see, the files will be safe.

1 Like

On initial implementation on a test site that might be just the thing I need. Thanks a lot :+1:

1 Like

The only issue with FileDownload R is I believe its hard at least to use it programmically for downloads.

If you have non-dynamic links then it will work fine