Access Password Protected Folders Via Joomla?

[sanura]

Hi,

There has been a lot of discussion on setting access levels for Joomla files and folders. However, I would like to provide my Joomla site users with the ability to access password protected files and folders (documents, video, images) on my website w/out having to enter in a username and password, especially since they have already done so to log into the website already.

Does anyone know if there is an easy way to do this?

sanurA

[antihack]

How are you protecting your directories?

If you are not using joomla to password protect them then you need contact your web host for instructions on removing the password protection from your directories.

If you are using joomla to password protect them then you need to set the users access up correctly. Go into your admin section of joomla. Then go into user accounts, then change the group of the users to a group that has the access your looking for.

[rhoffma2]

I'm looking for a solution to this as well. I don't want to remove the web host password protection, since this is needed to prevent someone from bypassing the Joomla front-end and directly accessing the files via known URL. I need exactly what sanura is asking for, an ability for Joomla to "proxy" the authentication needed from the web host, allowing my users to only have to authenticate once (when first entering my Joomla site).

[PhilD]

First by nature of the server you can not password protect a directory and then let all your users access the password protected directory.

Password protecting a directory (for example the Joomla administrator directory) is designed to only let a very limited set of users (such as you and a client during site development or for added security to site administrators) into the directory and is a function of the webserver and has nothing to do with Joomla. Depending upon how the password protection on the directory is implemented will determines if the user with authorization needs to enter the protected directories password (can be by ip) or not. In all cases this is 2 separate password schemes (protected directories, Joomla login) with very different implementations of passwords and with no relation to each other and no effective way to make a relation to each other.

If your looking to give particular users or a user group access to articles, specific extensions etc, then you will need to set up the proper groups and proper permissions for those groups from within the Joomla administration area. If this is what your wanting to do then ask your question in the administration or general question forums as this would be an administration or setup issue.

Some extensions such as docMan will prevent access to files of various types if a person is not logged in/and or does not have proper permissions. This will also prevent direct access to the files unless the person is authorized (logged in). When combined with Joomla permissions and groups, this can be very effective in preventing unauthorized access to certain files.

A way To prevent people from directly accessing files within a directory is to use hotlink protection within htaccess as below. Adding/changing extensions as needed and change yourdomain.com to your domain. You still have to provide a way for them to access the files through Joomla (your domain) though.

Code: Select all

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

[rhoffma2]

Thanks PhilD. I suspected there might be challenges getting the two authentication methods (Joomla and hosting provider) to integrate. I had hoped it would be as simple as an Joomla extension being able to understand the authentication prompting from the underlying host, capture and respond on its own to it (with a matching username/password defined in Joomla for the particular logged in user). This could have been the means for single sign-on in this circumstance.

If this isn't possible, I'm a bit confused how Joomla can secure other areas of the site without some cooperation from the hosting provider. What is preventing someone without an ID on my Joomla-built site from either browsing the directory structure, or having received the direct URL to content from a legitimate user; and there by gaining access to files they shouldn't? How does docMan which you reference below restrict this? In my case it isn't just the article itself I need to protect, but various files that make up the article (PDFs, PNGs, etc).

Thanks for all your help with this...

[PhilD]

I had hoped it would be as simple as an Joomla extension being able to understand the authentication prompting from the underlying host, capture and respond on its own to it (with a matching username/password defined in Joomla for the particular logged in user).

Joomla (and anything else within the password protected directories) does not execute until the webserver is satisfied that the servers password protection is satisfied so you can't capture the result of the directory user/password entry. To be able to do so would render the additional password protection useless.

What is preventing someone without an ID on my Joomla-built site from either browsing the directory structure,....

The server prevents browsing or listing the directory structure. If your server allows listing or viewing a directory, then it is configured wrong and is insecure.

What is preventing someone without an ID on my Joomla-built site from .... having received the direct URL to content from a legitimate user; and there by gaining access to files they shouldn't? How does docMan which you reference below restrict this?

Docman and most other extensions of this type have a specific directory with an htaccess file in it with "deny from all" to block directly accessing the files within the directory even if you know the name of the file.

To get at the file you have to go through the extension using the documents url for it. This forces the proper permissions for access as set for the files document in the extension for the category it's is based upon and what group the user is in in Joomla and what group(s) the files document is set to . This is basically the same as what Joomla does with the various user permission levels when deciding to display or not display a menu item, article, etc. to a person.
Examples of an docman url:
Download:
http://mysite.org/component/option,com_docman/task,doc_download/gid,39/Itemid,140/
View:
http://mysite.org/index2.php?option=com_docman&task=doc_view&gid=39&Itemid=140

Knowing these urls (giving the link to someone not authorized) does not help as the permissions will be checked before allowing access. So if the document is set to allow only the "Special" group then only people who have this permission level within Joomla will be allowed to view or download the document. Each permission level in Joomla has an id including guest (not logged in) and each user has an id and a permissions id(s). It is this way that Joomla and extensions can tell if a user is authorized to an area or for a document.

[rhoffma2]

Makes sense. Thanks for your patience, and taking the time to write up such a thorough response. Exactly what I was looking for.

[PhilD]

Your welcome.