Bug #89386

Backend module "FileList" not fully compatible with protected (not public accessible) directories

Added by Jan Kornblum 10 days ago. Updated 9 days ago.

Status:
Needs Feedback
Priority:
Should have
Assignee:
-
Category:
Backend User Interface
Target version:
-
Start date:
2019-10-09
Due date:
% Done:

0%

TYPO3 Version:
9
PHP Version:
7.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Using backend module "FileList" it is not possible to view a file when it is located inside a protected (not public accessible, e.g. protected by .htaccess) directory. To reproduce:

  • Place any file (e.g. pdf) inside any folder (e.g. fileadmin/test/).
  • Also, put a .htaccess file inside the same folder containing "Deny from all".
  • Now go to "FileList" and navigate to this folder. Everything works fine until here (rendering previews etc.)...
  • Now click on the pdf icon -> info -> and inside the popup -> click on the button "show". This leads to "403 access denied".

So it would be much better to handle this "show" action by any php method (read the file contents, send headers and echo file content) instead of directly calling the public url of the file.

History

#1 Updated by Georg Ringer 9 days ago

  • Status changed from New to Needs Feedback

Thanks for creating the issue, however it is not that easy.

Imagine there are files with 10mb or 200mb or maybe 1gb, using PHP reading this file also means that it will be not so simple to implement

#2 Updated by Jan Kornblum 9 days ago

Georg Ringer wrote:

Thanks for creating the issue, however it is not that easy.

Imagine there are files with 10mb or 200mb or maybe 1gb, using PHP reading this file also means that it will be not so simple to implement

Hmm... Is this really such a (performance related?) problem? The BE module currently automatically renders previews for e.g "pdf"s, too (so a "big" file gets already read by PHP). Shouldn't just reading and echoing a huge file be easier?

If it's really not not possible: What about implementing a "switch" to still deliver files bigger than 500mb directly, but smaller files using my aproach?

I think this issue would be really very useful. I've got several projects where the application e.g. creates invoices or similar (which must be stored public inacessible). In this cases an editor should always be able to access this files using the backend module.

Also available in: Atom PDF