How can I make a pdf document that's linked to in a topic, secure?

Mareid · April 11, 2013, 09:33:43 AM

Within my secure forum, I want to have documents available that users can ~~download~~ view and print. I want the underlying documents to have the same security as the forum itself without users having to re enter their passwords.

What I do now, which is not secure, is upload pdf documents to my website, and then create a link within a topic to specific documents. The directory that houses the pdfs is thus open to anyone who knows the url to the document.

There has to be a better way to do this. Is there a way to put the pdfs and the occasional html into the SQL database?

Help gratefully appreciated.

Arantor · April 11, 2013, 09:34:32 AM

Forum attachments, or use either the Downloads mod or Aeva Media to store them.

Kindred · April 11, 2013, 09:35:17 AM

You COULD use one of the media gallery mods or the downloads mod.
That keeps them as files, but does not display open links to the files

edit - ninja'd

Mareid · April 11, 2013, 08:39:19 PM

Took a look a the downloads mod. I don't think that's what I am looking for. Users can download and print the files now as links in a topic. What I want is to restrict everyone except users who allowed to use that forum from seeing the raw files that have been linked to in the topic. If I can upload more than one pdf to a single topic I think that will work. I will give it a try. I've only ever uploaded pictures, and they show as a thumbnail, so a thumbnail of a pdf should be great if that's what I get and it's easy to see if it will work

Arantor · April 11, 2013, 09:44:53 PM

QuoteI don't think that's what I am looking for. Users can download and print the files now as links in a topic.

You can actually limit who can see the downloads, but yes there is a lack of context attached.

QuoteIf I can upload more than one pdf to a single topic I think that will work.

The default rules are 4 attachments to a post. These are configurable in the admin panel; you may need to change the limits as the defaults may be too small for the files you're uploading.

Quoteso a thumbnail of a pdf should be great if that's what I get and it's easy to see if it will work

Well, it won't be a thumbnail, it'll just be the filename but the principle holds.

Mareid · April 12, 2013, 09:49:53 AM

The attachment piece works, but it's not the complete solution.

I have an html page that I can upload. The html page links to a bunch of different pdf documents set up in tables (here's the link so you can see what I have link to html document. I want to store the pdf docments securely. People who have access to the forum should be able to see them, others not.

Arantor · April 12, 2013, 09:56:04 AM

QuoteI want to store the pdf docments securely.

That's why you use the attachments system. It IS secured via the permissions you can set in the admin area.

Kindred · April 12, 2013, 11:04:35 AM

If you attach a file, it gets uploaded and placed in the attachments folder with a hashed name and no extension.
In other words, once it is uploaded/attached, no one can get to the file EXCEPT by accessing the attachment through the post.

That is one reason that I suggested using the downloads mod or something like AEVA Gallery.
In either of those mods, you can put the files directly on the server and front-load the mod display with the contents of the directory.

In both of those mods, access to the files is STILL CONTROLLED by SMF's permission system.

Mareid · April 12, 2013, 02:53:46 PM

I really would like to be able have the links to my pdfs nicely formatted in tables on an html page, to make them easier to find and get at by my readers.

I will try playing with the mod and see if I can make it work the way I want it to. I'm concerned that AEVA has halted development, and thus may not keep up with SMF development.

Thanks for your help and suggestions

Mareid · April 12, 2013, 03:59:06 PM

I figured out how to get the downloads mod on my site, (that was a learning experience in itself) but the mod puts a whole 'nother button on menu list labelled "Downloads". Users want to view and possibly print the documents, but they would never need to actually download the files. They barely know how to access the forum as it is, this will just confuse them further.

Is there a way to remove the button altogether and still use the security feature to place the files where they'll be secure?

Mareid · April 12, 2013, 04:48:43 PM

I've got the "Downloads" mod. It's not really what I want, but even at that I can't figure out how upload the files to the server to be downloaded by the user.

Mareid · April 12, 2013, 05:41:24 PM

hmmm...there appear to be TWO downloads mods, one by smfhacks and one by someone else. I deleted one and installed the one by smfhacks, but I don't seem to have any way to upload the files with that one either. I must be missing something. Can you advise which of the two downloads mods is the right one?

Kindred · April 12, 2013, 05:45:16 PM

I have used the one by SMF Hacks
It was pretty straight forward to install and set up...

If you have any questions on it, just ask them in the support thread for the mod.

You can always change the download text to something else ("files" for example)
And whether the user downloads the object or views it online really depends on their browser settings.

Mareid · April 13, 2013, 09:47:30 AM

SMF level security is not really essential. Passworded directories would be ok. I am simply trying to prevent my users from going directly to the files. The users are even more unsophisticated than I am about the web, mostly elderly people who still use AOL and need to view some documents that are not very critical even if they were widely distributed.

I don't want to take the attachment approach (which downloads mod uses). Is there a way to integrate the (admittedly not very secure) .htaaccess and .htpasswd so that when a user is logged in he or she doesn't have to use a second password?

Arantor · April 13, 2013, 09:59:27 AM

QuoteIs there a way to integrate the (admittedly not very secure) .htaaccess and .htpasswd so that when a user is logged in he or she doesn't have to use a second password?

No.

Kindred · April 13, 2013, 09:59:53 AM

no, there is no good way to do that.

I still think that the aeva or downloads mod is your best choice.
I have images and other documents including pdfs and word docs available for the users in my aeva installation.

Mareid · April 13, 2013, 10:15:02 AM

I would use attachments and I've got the downloads mod installed except for one thing. When you click on an attachment link, the file itself does not open, a popup presents itself with the choice to open save or whatever. I want the user to be able to click on the link and have it just open to the document. If there were a way to do that with the attachments that would work although the presentation wouldn't be ideal.

I will try AEVA mod and see what it does but I'm not hopeful.

Mareid · April 13, 2013, 11:02:53 AM

Tried Aeva. Same problem, downloads instead of putting up the document. If there's no way to use .htpasswd either above or within the forum directory, I guess I'll just live with the fact that the directory with the documents is not secure. Thanks for taking the time to try to help.

Arantor · April 13, 2013, 11:35:23 AM

It could be made to be what you want, but there are also quite serious downsides to doing it the way you want, notably the fact far more bandwidth will be used, and there are issues with some PDF clients in browsers that will attempt to stream content rather than downloading it all at once.

That's why none of them operate the way you want.

MrPhil · April 13, 2013, 11:41:18 AM

Quote from: Mareid on April 13, 2013, 10:15:02 AM
When you click on an attachment link, the file itself does not open, a popup presents itself with the choice to open save or whatever. I want the user to be able to click on the link and have it just open to the document.

That's the way that browsers normally work, at least for PDF documents. You'll just have to train your users to "open" the document (which assumes they have Adobe Reader or some other PDF reader installed, which is a whole 'nuther ball of wax). Nothing that SMF can do about it. A document has to be downloaded in the first place in order to display it, so there's nothing to prevent a user from saving it at some point in the process (for future reference). Maybe there's a "document streaming" capability out there somewhere, which never saves a full copy of the document (including the cache), much like video streaming, but I think that SMF would have to modified to use it, and your users would have to install the viewer.

Let's step back a moment and take in the Big View. You have PDF documents that you do not want the link being passed around the general public. Note that once your readers have a copy on their PC (say, in Adobe Reader), they are free to save it (possibly there's a setting in the document to prevent saving it, and .htaccess settings to immediately purge it from the cache. It's not guaranteed foolproof, but may be adequate for your purposes). SMF hashes (one-way encryption) the name in the attachments directory, so that no one is going to guess the file name even if they know the original name. If you configure your site not to generate an index for directories without an index.* file, and/or put in a dummy index.html file "Nothing to see here folks. Move along.", no one can see the files and try loading them one by one. SMF does not appear to expose the original name or location in the link. You can restrict the visibility of the posts with links to PDF documents to signed-in members only (guests can't view any posts). Would all of these capabilities built into SMF be adequate security?

News:

How can I make a pdf document that's linked to in a topic, secure?

MrPhil