Restrict media/file access with special permissions

Hi, I am looking into getgrav and it seems, that it has al the features. However, about one thing I am not sure. I want to use special permissions and they seem to work well with pages. However the media like images in the same page are still accessible by everyone if they click on the direct link. I tried to add the access part in the imagename.meta.yaml but that didn work. I also enabled the “Protect a login-protected page media” from the login plugin which did not help

Is there a way to do it?

@schneech, Maybe an earlier discussion on protecting video/image inside a page folder might give some insight/ideas: How to protect video and photos from folder

When using protect_protected_page_media: true in ‘/config/login.yaml’ it will only work if the url to the image is site relative and not a physical path.

  • Physical path:
    http://mydomain/user/pages/02.typography/image.jpg is not under access control
    This url is created when using markdown syntax: ![My Image](image.jpg)
  • Site relative:
    http://mydomain/typography/image.jpg is under access control.
    This requires manual creation of the <img> tag: <img src="/typography/image.jpg">

Note: If someone knows Grav, one could ‘guess’ the page relative url and gain access again…

@pamtbaau I see, thanks for the swift reply. I searched the forum but did not stubble across that thread.

In that case, I probably have to switch away from GetGrav because of that though. :confused:

@schneech, Considering the topics on the web about this issue (here, here, …), I’m afraid it will not be an easy task and probably not solved by another CMS.

It is more or less comes down to how the internet/browsers work…

Please feed back if you found a solution.

@pamtbaau Thanks for the links. What I do now is to restrict direct access to the files via .htaccess (part 2 of your first link). I am still not sure if there is some way to hack around that. But it seems that only the users that can access the page where the file is embedded in, can download the file. Which is enough for me.

Do you by any chance know if there is still a way for a user that cannot access the embedding page to download the image?