Authentification restriction to download file

JP_Clerc · August 16, 2023, 11:15am

Hello!!

For a client, I designed a feature which allows a panel user to download a csv file (list of emails) filed from a form in the home page.
Public users fill the form and a structure field is updated, in a specific page.

I want to restrict the possibility to download the file, only for registered panel users.

It works on locahost environnement, on my compnay’s server but not in my client server (of course…).

I did:

Blueprint of addemails.yaml : the structure field and an info section “To download, click here” (link to the current page which suppose to be available for registered user only)
Template addemails.php, the page which create the csv file, with only:

<!DOCTYPE html>
<html lang="fr">
</html>

Controllers to check registered users and create the file

<?php

return function ($kirby, $page) {

    // Create file for registered users only
    if ($kirby->user()) {
        header("Content-type: text/csv");
        header("Content-disposition: attachment; filename=liste-emails.csv");

        $listemails = $page->listeEmail()->toStructure();
        $emails = [];
        foreach($listemails as $item) {
            $emails[] = $item->email();
        }

        $fp = fopen('php://output', 'wb');
        foreach ( $emails as $line[0]) {
            fputcsv($fp, $line, ',');
        }
        fclose($fp);
        exit();
    }
    else {
        go('/');
    };
}
 ?>

Any idea why this works depending on the environnement?
I checked different conf:

Same browser (Brave) but different identity : download without authenitification
Trying with Edge : Can’t download but once I’ve logged in and out, I can download without authenitification

Thanks for you help!

JP_Clerc · August 16, 2023, 11:34am

UPDATE: I think the problem come from the cache system of the server. If I add a new line in my structure field, the csv file doesn’t have it. In the same way, I added “.old” to the php template and controllers “addemails.php” to disable the acess but the page still work, the file is still created (a wrong one, with not the actual emails, but at least, a file…).

Is it possible that the server keep a hidden version of the php files? Even if we rename it?

distantnative · August 16, 2023, 11:39am

What’s your Kirby config.php looking like? Does that have caching activated?

I know there sometimes have been issues with server’s OPcache - but I didn’t think that could kick in with renamed files even.

JP_Clerc · August 16, 2023, 11:43am

Thanks for your anwser!

I don’t have a caching config in the Kirby’s config.php file, only in .htaccess:

# BEGIN Cache-control Headers
<IfModule mod_headers.c>
  <FilesMatch "\\.(ico|jpe?g|png|css|svg)$">
	Header set Cache-Control "max-age=86400, public"
  </FilesMatch>
  <filesMatch "\\.(html|htm)$">
	Header set Cache-Control "max-age=7200, public"
  </filesMatch>
</IfModule>
#END Cache-Control Headers

distantnative · August 16, 2023, 12:04pm

Right now, I can’t think of any on Kirby’s side that is causing this. Checking for $kirby->user() seems to be the right call and shouldn’t be cached or allow unauthorized visitors to get the CSV file served.

JP_Clerc · August 24, 2023, 12:16pm

After a few times, it seems that the server has a few minutes delay… Kirby can do nothing about it.

Thanks for you help!