Authentification restriction to download file


For a client, I designed a feature which allows a panel user to download a csv file (list of emails) filed from a form in the home page.
Public users fill the form and a structure field is updated, in a specific page.

I want to restrict the possibility to download the file, only for registered panel users.

It works on locahost environnement, on my compnay’s server but not in my client server (of course…).

I did:

  • Blueprint of addemails.yaml : the structure field and an info section “To download, click here” (link to the current page which suppose to be available for registered user only)

  • Template addemails.php, the page which create the csv file, with only:

<!DOCTYPE html>
<html lang="fr">
  • Controllers to check registered users and create the file

return function ($kirby, $page) {

    // Create file for registered users only
    if ($kirby->user()) {
        header("Content-type: text/csv");
        header("Content-disposition: attachment; filename=liste-emails.csv");

        $listemails = $page->listeEmail()->toStructure();
        $emails = [];
        foreach($listemails as $item) {
            $emails[] = $item->email();

        $fp = fopen('php://output', 'wb');
        foreach ( $emails as $line[0]) {
            fputcsv($fp, $line, ',');
    else {

Any idea why this works depending on the environnement?
I checked different conf:

  • Same browser (Brave) but different identity : download without authenitification
  • Trying with Edge : Can’t download but once I’ve logged in and out, I can download without authenitification

Thanks for you help!

UPDATE: I think the problem come from the cache system of the server. If I add a new line in my structure field, the csv file doesn’t have it. In the same way, I added “.old” to the php template and controllers “addemails.php” to disable the acess but the page still work, the file is still created (a wrong one, with not the actual emails, but at least, a file…).

Is it possible that the server keep a hidden version of the php files? Even if we rename it?

What’s your Kirby config.php looking like? Does that have caching activated?

I know there sometimes have been issues with server’s OPcache - but I didn’t think that could kick in with renamed files even.

Thanks for your anwser!

I don’t have a caching config in the Kirby’s config.php file, only in .htaccess:

# BEGIN Cache-control Headers
<IfModule mod_headers.c>
  <FilesMatch "\\.(ico|jpe?g|png|css|svg)$">
	Header set Cache-Control "max-age=86400, public"
  <filesMatch "\\.(html|htm)$">
	Header set Cache-Control "max-age=7200, public"
#END Cache-Control Headers

Right now, I can’t think of any on Kirby’s side that is causing this. Checking for $kirby->user() seems to be the right call and shouldn’t be cached or allow unauthorized visitors to get the CSV file served.

After a few times, it seems that the server has a few minutes delay… Kirby can do nothing about it.

Thanks for you help!