We discovered a very scary situation where anyone with a URL to any resource under the DNN folders can access that resource even if they do not have a login. My DNN version is 8.0.3
Any help is greatly appreciated.
Mike
Mike,
to be more specific: a folder in DNN can have 3 types: "Standard", "Secure" and "Database" (just to mention, there are others as well if you are using a cloud connector, but I assume that the folders are created inside the web structure under /Portals/x/...).
When you create a folder of the type "Standard", the files you put in have a URL like https://www.mysite.com/Po...Documents/Myfile.pdf - and if someone accesses this Url, IIS delivers the file and DNN is not involved in that process.
When you have files that have to be secured, you need one of the two other options. "Secure" means, the file is renamed from "Myfile.pdf" to "Myfile.pdf.resources" (you see this in Windows Explorer), and as .resources is listed as denied in the Request Filtering of IIS, the file is not delivered by IIS if you access the Url https://www.mysite.com/Po...Myfile.pdf.resources. The Urls looks something like https://www.mysite.com/Li...0&language=en-US - and this is handled by DNN checking the folder permissions, so if the folder permissions are restricted for some role(s)/user(s) - and not "Everyone", a login is necessary.
More or less the same is valid for the "Database" type, the difference is that you don't see the file in the folder structure (in Windows Explorer, you only see the folder, but it seems to be empty), as it is saved in the DNN database. This could blow up your database, so don't use if if you have the size restricted by your hosting provider.
In short: If you want to restrict access to a file to specific roles and/or users, you have to use the Secure or Database type.
Unfortunately, you can't change the folder type of an existing folder. You have to create a new (secure) folder and move the files there.
Happy DNNing! Michael
Michael TobischDNN★MVP
That is how the default works: you put a file on a location on your server. If someone knows the location, they can see/download the file. Pretty much FTP-like.
As James mentioned, if you need more security, use the folder options
Michael, When you say "You have to create a new (secure) folder and move the files there." Can I move the files through the file system such as windows explorer or do I need to upload them all through the DNN UI??
Thanks again for all the help. Much appreciated.
Hi again,
Let me add... an unauthorized user can access a URL, the same as the original person who posted the question.
These Forums are dedicated to the discussion of DNN Platform.
For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:
Awesome! Simply post in the forums using the link below and we'll get you started.