You can secure files so users who aren't authorized cannot view the post attachments stored within it by:
- Placing the /filestorage/ folder outside of the /web/ folder and making the necessary adjustments in the site community.config file.
- Adding a web.config file to the /filestorage/ folder.
- Creating a media gallery for a separate group and attaching the files to posts in the gallery.
If the user is attempting to directly access site or user files via a direct link, he/she will be able to do so if you are using the cfs-filesystemfile.ashx file handler (which is the default in the /web/ folder web.config file). Telligent Evolution does not have a site file read permission.
Secure the /filestorage/ folder by moving it outside the /web/ folder
When you do this, users are forced to go through the secured CFS file handler to access a file. The CFS system checks permissions for the related post. If a user does not have access to read a post made in an application (such as when you have removed this permission from the Everyone role), he/she will also not be able to directly access a file attachment to a post in that application.
- Choose a location other than your /web/ folder to contain the /filestorage/ folder. (For example, if your site is c:/inetpub/TelligentEvolution and your /web/ folder is contained there, you could place /filestorage/ in the c:/inetpub/TelligentEvolution/ folder itself.)
-
Update the communityserver_override.config file to correctly reference the /filestorage/ location in the file system. Following the example of putting the /filestorage/ folder in the /TelligentEvolution/ folder, you would change
<Override xpath="/CommunityServer/CentralizedFileStorage/fileStoreGroup[@default='true']"
mode="change"
name="basePath"
value="C:\Site\filestorage\" />
Notes: We recommend that the path statement, based on the absolute path, be 45 or less characters. The communityserver.config file itself also contains information about path statements for CFS.
- Ensure that you have assigned the correct permissions for the folder (Read & execute, list, and read).
Secure your /filestorage/ folder from inside the /web/ folder
If you desire to leave your /filestorage/ folder inside the /web/ folder, you can block direct access to the folder creating a web.config file inside /filestorage/. The request for a file will return a 404 error.
The following configuration is the default and new installations of Telligent Evolution 7.0 should already have this file defined. This documentation exists in case the web.config file was previously removed.
- Create a file called web.config inside your /filestorage/ folder.
- Copy the following contents inside the file:
<?xml version="1.0"?>
<configuration>
<system.web>
<httpHandlers>
<add path="*" verb="*" type="System.Web.HttpNotFoundHandler"/>
</httpHandlers>
</system.web>
<system.webServer>
<validnation validateIntegratedModeConfiguration="false" />
<handlers>
<remove name="BlockViewHandler"/>
<add name="BlockViewHandler" path="*" verb="*" preCondition="integratedMode" type="System.Web.HttpNotFoundHandler" />
</handlers>
</system.webServer>
</configuration>
- Save the file.