I developed a product download portal for customers with Kirby 2. The portal hosts private files for each customer, and downloading these files should not be possible via public URL (download is initiated with PHP instead).
The product files reside in the content-folder to allow easy manipulation via panel. I’ve restricted access to these files via .htaccess. The path of each file looks like this: /content/products/customer/filename.ext
When migrating to Kirby 3, I noticed that after downloading a product file, the file gets copied to the media directory. media/pages/products/customer/123456789-123456789/filename.ext
Is it possible to disable caching of these files to media directory? Motivations:
The product files can be very large. Duplication to media folder unnecessarily fill-ups the web host disk quota
Although the files are not in “plain sight”, they are still downloadable via a public URL in media folder. The project has high security requirements, and these kind of things cannot be overlooked
Are you making download links available for restricted files with $file->url()? Files get copied to the media folder only when the URL returned by the url() method is accessed in the browser.
I suggest you to create a custom file method to generate a URL for restricted files instead of using the default $file->url(). Then point those files to a custom route from where you could handle the authorization logic or token validation. Here is a simple example:
As I understand, these files are now not protected outside this page – how exactly do I need to implement this solution if I list links from a simple files section like below? Unfortunately I’m not very familiar with routes and plugins – thanks a lot for any tips!