Hi,
I need to disable direct access to Media folder.
This mean that if I write directly the URL, for example, http://www.domain.it/media/60345/testfile.pdf I should not view the file. The only way to see it should be using Umbraco pages.
I have used http handler in the past to protect gated assets i.e ones that require you to register. This in effect what media protect does with nice ui. So I guess you also have gated assets but you are using a captcha only to protect them?
The list is public but if they want to see a document (as pdf file), they must click on the link.
At this moment, before open file, they see a page with a recaptcha.
I know...this is a crazy requirement of the customer...but I can not do otherwise :-s
Ok, I understand now. I think you need to educate your customer as a reCaptcha really isnt meant to be used as a barrier to content. You're already aware its use is to prevent remote code from being fired at your forms and probing/attacking you. It doesnt provide you with any method of engaging with the person who is trying to access your restricted content and forcing them to enter a Captcha isnt provding your customer with any benefits. So it's a pointless effort.
My recommendation would be to remove the reCaptcha altogether and replace it with a standard ASP.net membership form.
We needed simple password access to some of our media (mostly to track who's downloading content that's a bit more important to us). It's pretty easy to do with the member picker datatype, attach it to your file mediatype and it will record a membergroup property on any media file you create. You can then use the Umbraco media event API (Media.AfterSave) to write into the media folder a set of authorization rules (a Membership web.config file).
So for example: You have a media item with a URL of http://yourdomain/media/1234/file.pdf the folder "1234" will contain a web.config upon saving as long as the backoffice user has set a member group.
This file will immediately kick out anyone who's not a Member of your chosen group and redirect them to your login page. As you're only protecting media it's probably easier to create an umbraco page with a user control or razor view containing the required login form. Umbraco does have an in-built mechanism in the back office for protected content nodes but unfortunately it doesn't cover media too.
We go a little further on our site and use Umbraco Contour as the platform for our login form, this means we get a "built in" record of everyone who logs in along with some great "silent" botnet protection out of the box. To make things as simple as possible for the end user, we only ask for the group access password and an email address for tracking. The username is automatically passed into the form from a back office property on the protected page.
By taking this approach you force the person who wants the content, to contact you to gain access to the password. This means you've engaged with someone and customer is provided with a potential sales lead.
Of course you can add in all sorts of extras into the mix with Membership. Stuff like expiring passwords, membership profiles....it's all there for the taking depending on your needs.
I plan at some point to release my Membership code as a package, it wont be as clever as Media Protect, but it will be free!
Hi Martin, I'm agree to educate the client customer as a reCaptcha really isnt meant to be used as a barrier to content, and I do it...but they are irremovable.
I fought for a long time to avoid this use of recaptcha, but unfortunately I did not succeed...Now I stop the fight!!! :-)
So... the list of articles is a PUBLIC list then the use of a password to view the pdf is not thinkable...I must find an alternative.
Another method is to create your own custom Http Handler that will monitor certain content types say, PDFs or JPEGs. You write the handler in such a way that it only allows access based on a certain membership account. But that may in all probability affect all media types rather than a specific set of files or folders. You would need to look this up.
Finally, although personally I think its one heck of a hack is to pass the user through to another page after the reCaptcha. In this page you would effectively "login" the user on their behalf in code. Once you've achieved this the user could then access the media which is protected with the appropriate membership account using the Authorization rules method I previously described.
Of course passing credentials around on the users behalf is hardly the point of Membership, but in your case it would solve your problem.
If you go for the second option, I would suggest you pass in whatever the reCaptcha classes as "success" in an attempt to prevent unauthorised access to that page too.
How to disable direct access to media folder?
Hi, I need to disable direct access to Media folder. This mean that if I write directly the URL, for example, http://www.domain.it/media/60345/testfile.pdf I should not view the file. The only way to see it should be using Umbraco pages.
There's a way to do this?
Thank you Adriano
Adriano,
You can purchase media protect package http://our.umbraco.org/projects/website-utilities/media-protect or you can write your own http handler to do it. I would recommend purchasing media protect its only E99
Regards
Ismail
Hi Ismail, thank you for your answer but the problem is that Media Protect Package, protect media files with a password.
I need to access files only from Umbraco pages but without password because the users already must type a recaptcha to open files.
Hi Adriano
Do you mind if I ask why you decided to prevent access on your umbraco pages by using a recaptcha?
I would only choose to use recaptcha as a method to prevent botnet attacks on a form.
Kind regards
Martin
I have used http handler in the past to protect gated assets i.e ones that require you to register. This in effect what media protect does with nice ui. So I guess you also have gated assets but you are using a captcha only to protect them?
Regards
Ismail
Hi Martin and Ismail, this was a client request just to prevent (as you said) botnet attacks.
I try to give you details about the scenario.
There is a list of documents that are only visible until they expire.
When expire they disappear from list and must not be more visible also directly typing the url of the document
With a small list, it would be enough to delete the file, but on more than 2000 documents it is impossible
So I'm looking for a way to disable the direct file access by forcing users to go through the normal procedure for displaying the documents.
Sorry my not perfect english :-)
Hi Adriano
Sorry to be a pain but I'm still a little unclear.
Are the users prevented from accessing the list until they enter a recaptcha code?
M/
The list is public but if they want to see a document (as pdf file), they must click on the link. At this moment, before open file, they see a page with a recaptcha.
I know...this is a crazy requirement of the customer...but I can not do otherwise :-s
Hi Adriano
Ok, I understand now. I think you need to educate your customer as a reCaptcha really isnt meant to be used as a barrier to content. You're already aware its use is to prevent remote code from being fired at your forms and probing/attacking you. It doesnt provide you with any method of engaging with the person who is trying to access your restricted content and forcing them to enter a Captcha isnt provding your customer with any benefits. So it's a pointless effort.
My recommendation would be to remove the reCaptcha altogether and replace it with a standard ASP.net membership form.
We needed simple password access to some of our media (mostly to track who's downloading content that's a bit more important to us). It's pretty easy to do with the member picker datatype, attach it to your file mediatype and it will record a membergroup property on any media file you create. You can then use the Umbraco media event API (Media.AfterSave) to write into the media folder a set of authorization rules (a Membership web.config file).
So for example: You have a media item with a URL of http://yourdomain/media/1234/file.pdf the folder "1234" will contain a web.config upon saving as long as the backoffice user has set a member group.
<configuration>
<system.web>
<authorization>
<allow users="UserGroup" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
This file will immediately kick out anyone who's not a Member of your chosen group and redirect them to your login page. As you're only protecting media it's probably easier to create an umbraco page with a user control or razor view containing the required login form. Umbraco does have an in-built mechanism in the back office for protected content nodes but unfortunately it doesn't cover media too.
We go a little further on our site and use Umbraco Contour as the platform for our login form, this means we get a "built in" record of everyone who logs in along with some great "silent" botnet protection out of the box. To make things as simple as possible for the end user, we only ask for the group access password and an email address for tracking. The username is automatically passed into the form from a back office property on the protected page.
By taking this approach you force the person who wants the content, to contact you to gain access to the password. This means you've engaged with someone and customer is provided with a potential sales lead.
Of course you can add in all sorts of extras into the mix with Membership. Stuff like expiring passwords, membership profiles....it's all there for the taking depending on your needs.
I plan at some point to release my Membership code as a package, it wont be as clever as Media Protect, but it will be free!
I hope this helps you
M/
Hi Martin,
I'm agree to educate the client customer as a reCaptcha really isnt meant to be used as a barrier to content, and I do it...but they are irremovable.
I fought for a long time to avoid this use of recaptcha, but unfortunately I did not succeed...Now I stop the fight!!! :-)
So... the list of articles is a PUBLIC list then the use of a password to view the pdf is not thinkable...I must find an alternative.
Thank you anyway for help.
Adriano
Hi Adriano
Another method is to create your own custom Http Handler that will monitor certain content types say, PDFs or JPEGs. You write the handler in such a way that it only allows access based on a certain membership account. But that may in all probability affect all media types rather than a specific set of files or folders. You would need to look this up.
Finally, although personally I think its one heck of a hack is to pass the user through to another page after the reCaptcha. In this page you would effectively "login" the user on their behalf in code. Once you've achieved this the user could then access the media which is protected with the appropriate membership account using the Authorization rules method I previously described.
Of course passing credentials around on the users behalf is hardly the point of Membership, but in your case it would solve your problem.
M.
Hi Adriano
If you go for the second option, I would suggest you pass in whatever the reCaptcha classes as "success" in an attempt to prevent unauthorised access to that page too.
Good luck
M/
Thanx Martin...In fact I thought to create a custom HTTP Handler.
A.
is working on a reply...