Downloads schützen funktioniert nicht

[acht11]

Affected version(s)

5.0.7

Description

Ordner angelegt -> nicht öffentlich
Datei in diesen Ordner abgelegt
Datei über downloads/download zur Verfügung gestellt und mit Schutz auf Mitglieder versehen
Im Frontend wird nun folgender Link erzeugt:
https://xxxx.xxxxx.xx/informationen/xxxxinformationen.html?_hash=RxQlTd8yrbRvUXr7vd7sEmh1%2BYs%2FEsUPAdQz0UC4%2Bn4%3D&ctx=a%3A1%3A%7Bs%3A2%3A%22id%22%3Bi%3A2176%3B%7D&d=attachment&f=Ingwersaft.pdf&p=documents+internal%2FIngwersaft.pdf

Wird dieser Link in einem neuen Browser ohne Anmeldung an die Seite aufgerufen, wird die Datei angezeigt.
Sollte so ja nicht sein.

[asaage]

I don't know if that is actually the same behaviour like in 4.13 and earlierer. ?
I addressed something like that some years ago and in response the cid-queryparameter was invented.
I still think that the download(s)-element should not contain links to resources at all.
Instead a post-form should be rendered - then all neccessary conditions could be checked and resources could possibly be zipped before returning them as a stream. That way hotlinking could be eliminated (which was the man reason behind this thought).
For every other use-case i think it's totally legit to put the file into a public folder and use the hyperlink or ce_text - element.
For reference: #14 (comment) | contao/core#8375 (comment)

[ausi]

I was not able to reproduce that issue, in my test no file was downloaded if not logged in as a member.
@acht11 what are the exact steps to reproduce this?

[acht11]

@ausi
I try to explain it. My goal is to have files in a protected folder so that only members are able to download it. All other visitors should redirected to a "Access denied" web page even if they are knowing the link to the file. This was working in Contao 3.5.
To reproduce it, do the following steps.

• create a folder and set it to non public
• put a file into this folder
• put a download element to xour website ans reference to the file
• aktivate the protection and set access to a member group
• now login as a member and go to the webpage where you have put the download
• copy the linkt to the file to clippboard
  logoff the webpage or start a new browser and put the linkt in address line
  now you have access to the file without a login
  From my perspective this is a security issue. How ever this link becomes public, all visitors will have access to this file and I have no possibility to prevent this.

[ausi]

These are the steps I tried, and it was not possible to download the file in a new browser or after logging out.

aktivate the protection and set access to a member group

Did you activate the protection on the download element itself, or on the page?

Can you post a screencast of all the steps?
Do you have any extensions installed?

[acht11]

@ausi
yes, I have had activated the protection in the download-element. But now I have found out another kuriosity. When I put this protected download-element on a new page on the same web-site, then it works. But the original page has still the problem. The differenc between this two pages are:
On that page where it works, there is just one protected download element.
On the page where it dosen't work, there are two download-elements. The first ist public (unprotected) and the second is protected (members only).
The idea behind this is: Visitos should be see just the one public document and the members should be see both documents.
No extentions installed, just a Theme from pdir.de

[ausi]

On the page where it dosen't work, there are two download-elements. The first ist public (unprotected) and the second is protected (members only).

This way I can reproduce it, thank you for the detailed investigation.

I think we need to add a check for $context['id'] === $model->id here:

contao/core-bundle/src/Controller/ContentElement/DownloadsController.php

Line 231 in d25e2a8

if (

and pass $model as a parameter here:

contao/core-bundle/src/Controller/ContentElement/DownloadsController.php

Line 62 in d25e2a8

$this->handleDownload($request);

/cc @m-vo

[acht11]

thanks a lot for your fast response. So it was a real issue and not my fault. Is your proposal just an idea or a checked solution. In case that is the solution, could you please show me the two lines how it is to implement?

[ausi]

Is your proposal just an idea or a checked solution.

Just an idea.