Can I store files in a secure fashion on the server and access them from SMF?

[Mareid]

I have a bunch of pdfs (archival documents) that I'd like to make accessible to users via my SMF forum.  I want to store them on the server where the forum is located.  While they are not particularly sensitive, I do want to keep them private.  I know I can store them as attachments, but the UI for getting attachments is less than ideal for this purpose.  What I really want to do is make a single document with a set of links to the files.  I've done this with files that have no security, so I know how to create the link-document.

What I would like to do is make access to the files only available by password, and have that password be the SMF forum password.  I don't mind making users sign in again, or sign in directly on the web, but I want access from within the forum to be simple.

If I'm not clear let me know.

[vbgamer45]

I have a download system that sort of does it. Not password protected but you can choose which groups have access to download files
https://custom.simplemachines.org/mods/index.php?mod=992

[Mareid]

All users should/will have access to the files.  We are a tiny group (<100) and don't expect to get much bigger, so I don't think either of these solutions will work for us.   If they can access the pdf, they can download/print or read online.  The gallery might work, but it's way overkill for us.  Thank you very much for your suggestions though.

[vbgamer45]

I would then just restrict guest permissions from downloading attachments.

I have  mod that adds a view/download permission as well https://custom.simplemachines.org/mods/index.php?mod=4189

[Sir Osis of Liver]

You can create a board/topic that registered users can access, post links to the pdf files in the topic.

[Mareid]

Sir Osis, that is exactly what I want to do, but where and how do I store the PDFs?  Here's an example of what I want to do..

since the documents here are in the public domain, I don't have a problem making them public here, probably should have in the first place:

this is what the body of the topic looks like:  Carriage House Historical Minutes

The files are just in some directory on the server, ftp'd up there.  Forum users who are authorized can get them via the forum but other users can't.  But the directory on the server itself is not secured in any way.

What I want to do is exactly the same as this, but with some kind of file security.

[Sir Osis of Liver]

Not sure what you're asking, you've linked to pdf in your post, that seems to be what you want to do.  Doesn't matter where the files are stored, uploading them to a new directory in your forum will work fine.  You can post the links in a topic that's only visible to logged in members, so they are password protected same as forum.

[Mareid]

That is exactly the answer I'm looking for.  But I can just type the url into any old browser without being logged into the forum and the file is displayed even if it is a directory inside the forum. I don't want a someone who happens to know the url to be able to access those files

[Chen Zhen]

You should be able to adjust your http server software configuration (ie. Apache, Windows, Nginx, etc.) to deny access to a specific directory or use a wildcard files match command.

ie.
To simplify what I am referring to you can use a .htaccess file in the specified download directory for Apache.
PHP should still be able to download the specific files but attempting to use direct links will be denied.

example refs.
https://linuxconfig.org/deny-direct-file-download-with-htaccess
https://stackoverflow.com/questions/39550660/how-to-block-direct-download-file

SMF already does this concerning its attachments directory.
I will assume the download mod also implements this or at least it should.

Perhaps this explanation will give you the gist of how it's accomplished.

[LiroyvH]

That is exactly the answer I'm looking for.  But I can just type the url into any old browser without being logged into the forum and the file is displayed even if it is a directory inside the forum. I don't want a someone who happens to know the url to be able to access those files

That's because you manually uploaded them with FTP.
SMF doesn't control access to folders you create. All it can do is limit who can download attachments uploaded through SMF's system. It can't restrict access to files to logged in users to random folders and files you manually upload. You publish them and the server simply does what it's supposed to do: serve a file when it's requested. So if someone has the direct URL to a file: yes, they can download it.

You either need to protect the directory you put them in (eg: with a user/pass you share to users, but that's not ideal as they can share those credentials (they can share the file as well once downloaded, but eh.)) or upload them through SMF so it becomes an attachment that actually *is* managed by SMF. Only then can SMF's permission system do anything for you and control who can download them.

[GigaWatt]

You either need to protect the directory you put them in (eg: with a user/pass you share to users, but that's not ideal as they can share those credentials (they can share the file as well once downloaded, but eh.)) or upload them through SMF so it becomes an attachment that actually *is* managed by SMF. Only then can SMF's permission system do anything for you and control who can download them.

One of the things the former admin of the forum I now administer never thought of when he made a board accessible after 100 posts . In the end, every single file and link that was shared in that section became available to every user . And that is why that section is now closed and only available to staff members.

Sorry, not really related to the topic at hand, just thinking out loud.