Protected files with hash don't open correctly --> 404 page

Questions
#1

Silverstripe Version:4.11

When I link to a protected file I get a link with a hash mysite.com/protectedfolder/hashed1234/file.pdf which results in a 404 when clicked. What did I miss? All other not protected files work fine and don’t have this hash in their link.

I just tested to protect a different random file. As soon as I set permission to a file to “Who can view this file?” to “Logged-in users” the link goes to the file (url without hash) but on the page it says “Not Found”. Not sure if this is related to the above described issue. Do I do anything wrong by only setting “Who can view this file?” to “Logged-in users” on this file or is this a bug?

Thank you very much in advance.

#2

Does it only give you a 404 when you are not logged in as a user with view permissions on that file?
If so, that’s exactly what should happen - that’s the point of a protected file.

#3

Hi GuySartorelli,
Thanks for your reply.
I am logged in at the time. I actually used the link from the preview window from within the admin area.

I can only see the page with the links if I am logged in. So, this part works.

Interesting, regarding the second test, I guess something hasn’t refreshed at the time of testing.
The file I randomly secured with “Who can view this file?” to “Logged-in users” is showing the url with hash (my mistake when I wrote the question above) and now it shows me the file correctly when I open it. I just tested that it works when I link it on a protected page and it does work.

So, from this I guess it has something to do that the folders and documents being all protected regarding my initial issue. The random protected document is within a not protected folder whereas the initial document that has been protected is within protected folders.

Do you know if this is the wrong way to set this up? I assumed the folders need to be protected as well. In this case the main folder is the one where all the protected documents are in and within this folder there are subfolders, but even the documents being directly in the main folder aren’t working when click them.

I hope the above makes sense to you. If not, please ask. Thanks.

#4

A folder only needs to be protected if you want to protect all files within that folder. You then don’t have to protect each file within that folder individually - there is an option to inherit permissions which is the default option.

You can protect individual files if you don’t want to protect all the files in a folder.

but even the documents being directly in the main folder aren’t working when click them.

This part sounds like a bug - can you please create an issue in the assets repository on Github about this with as much detail as you can provide, including reproduction steps from a fresh installation of silverstripe/installer?

#5

Hi GuySartrelli,
Thanks for your reply.
My apologies for not write this issue down properly with all the details and wrong wording. (with the main folder in this context I meant the main folder for the collection of all the protected files let’s call it “protected files folder”, sorry my bad). I haven’t really worked on a project with protected files before so I wasn’t aware of all the details.

To sort this out:

  • It seems that all documents which are protected no matter if a single document in an unprotected folder or files within a protected folder get this hash in their url. Is this correct?

  • A file protected in an unprotected folder by using the “Who can view this file?” to “Logged-in users” works as expected and opens correctly (with hash in url) when user is logged in.

  • A file within a protected folder ( “Who can view this file?” set to “Logged-in users”) and the file inherits the permission of this folder doesn’t open correctly (this is the set-up of this initial question, I somehow assumed that a file with the lock symbol is secured with the “Who can view this file?” set to “Logged-in users”, but on that website they are all “Inherit from parent folder” )

  1. I set-up a new project as you recommended and :
    1.1. created a protected folder with a file which inherits the permission of the folder:
    file in a protected folder loads properly when logged in, but when I copy and paste the url and try it in a different browser (not logged in state) I get a white page with ‘Not found’ instead of a proper ‘404 page’ or as I would expected getting redirected to the login page, but maybe my expectation is wrong.
    1.2. uploaded a file and protected it in an unprotected folder works as expected, but again when I try to use the document url unlogged, I get the page with ‘Not found’ instead of a proper ‘404 page’ (same behaviour as above)
    1.3. upload a file and protect the file itself (without a folder - so in top level “Files” folder) same behaviour as in 1.2.

Now, it dawns on me that this has probably something to do with the upgrades of the website. This website has been updated from version 3.6.6 to 4.3 to 4.6 to 4.7 and now 4.11. The upgrade to 4.3 had been done with the MigrateFileTask and I think that’s where the hashes were introduced if I remember correctly.

They are updating some content and finally want to go live and now this bubbles up. I think it never has been tested in between. So, I can’t really verify if it ever worked.

I have an archive of the 4.7 version and there the files are loading properly, but the url doesn’t contain a hash and when I try the url in a different browser window (not logged in), the documents show as well. Either this was a bug or a mis-configuration in the upgrading part? The url is missing the hash somehow or maybe they changed it back to protected files without the hash?

So, some step seems to be missing in the upgrade process, but I can’t find any special documentation except the one from V3 to V4 using the MigrateFileTask .

In the _config folder mysite.yaml I have the following configuration:

SilverStripe\Assets\File:
  migrate_legacy_file: true
  keep_archived_assets: true

I checked the Change logs, but can’t find anything. Did I miss any other documentation in between regarding the files/folders?

Do you have any idea, which parts of the software have been changed regarding the documents in protected folders? Thank you very much.

#6

It sounds to me like everything you’re experiencing in 4.11 is working exactly as intended, and that in 4.7 the files just aren’t protected at all.

#7

No, they don’t.
All files in a protected folder which inherit this protection open with a 404 page with a logged in user.

Files in 4.7 are in a protected folder, but could be opened from anyone having the url.

#8

This is the expected and desired behaviour. It’s a protected file by virtue of inheriting the protection settings from the protected folder. You have to be logged in to view the file. Is the part that you’re finding unexpected the fact that it’s a 404 error instead of a 403? If so you could write a middleware to change that for your project.

#9

No, I am getting this 404 as a logged-in user and this is not correct. I should be able to see the document when I am logged in. That’s my issue.

#10

First of all thank you very much GuySartorelli for all your effort.
After I figured out that this must have had something to do with the upgrading of the software it was clear that only I could sort this out, as you can’t really reproduce this kind of error.

Finally I found the issue and I write it down just in case somebody else might have the same issue.

For some reason I not only had the protected files in the .protected folder but the exact same folder structure without any files directly under ‘assets’. That caused the “Not found”, which makes sense now. After I deleted the empty folders under assets, all protected files now show for the logged in user as expected and for not logged in users using this url they get to see the ‘Not found’, but as they shouldn’t have access to the link in the first place I don’t mind.