URL to assets

3 posts / 0 new
Last post
clemens wettengel
URL to assets

we are using Tactic Community 4.4.0v02 on Centos 6.7.
We noticed that every uploaded asset is accessable via direct url to the file without any permission check. This means every one can access our uploaded files even without having a valid login for tactic.
If you just type the url: server/assets/projectname/assets/assetname/publish/filename.ext you can view or/and download the file.
I consider this to be a serious security aspect because we are using tactic not just within the internal network.
I tried to find information about this "feature" but wasn't very successful.
Did I miss something in the configuration? Is it possible to force a login to access this files?



Maybe you have missed some configurations of the asset field type, make it not-opened for everyone and try to check it again from other ip address.



writer at EssayLab


Most installation are internal behind a firewall so this often is not an issue.

The reason it is open is because, for performance reason, the Web Server (ie: Apache) is serving the files and not TACTIC.  We used to use mod-python but that was discontinued a while ago.  Presently we've had success with mod-xsendfile which allows you to run a script before a request for a file.