Requiring login to view documents or download files

On a site with membership features enabled, you can set any page to be visible only to users who have logged in ("members"). We call these pages "private pages".

On a private page, you can put a link to a file, such as a PDF, and since the page is private, only people who have access to the page will be able to click that link.

However, should the link to that document be shared, perhaps by email or by posting to some other site, or if the site admin accidentally put the link on a public page, the document could be downloaded by anyone. If Google every accessed a page with the link, it could be in the Google index indefinitely, even if the link was later removed. So a brief mistake could result in a document being accessible via public search for an indefinite period.

Have no fear, we have a solution!

To increase the protection for private documents, we've added a new feature that will block access to selected files unless the person (the browser, really) accessing the file is logged in.

To set this up, you need to do two things:

  1. Add a config setting with the name "security.acl.folder.default" and set the value to the role that is required to access this file (typically "member").
  2. Put the file in a folder whose name starts with "secure_".
That's all it takes. Note that there is no restriction on the filenames, and the folder name can end with anything you want, but it must start with "secure_". So a good folder name would be something like "secure_documents". Be sure not to put any file in such a folder that should be accessible by any site visitor.
Have more questions? Submit a request


Please sign in to leave a comment.
Powered by Zendesk