Is the file in a folder created under "secure/filesystem" ?
See https://www.dnnsoftware.c...der-file-permissions

Mike,

to be more specific: a folder in DNN can have 3 types: "Standard", "Secure" and "Database" (just to mention, there are others as well if you are using a cloud connector, but I assume that the folders are created inside the web structure under /Portals/x/...).

When you create a folder of the type "Standard", the files you put in have a URL like https://www.mysite.com/Po...Documents/Myfile.pdf - and if someone accesses this Url, IIS delivers the file and DNN is not involved in that process.

When you have files that have to be secured, you need one of the two other options. "Secure" means, the file is renamed from "Myfile.pdf" to "Myfile.pdf.resources" (you see this in Windows Explorer), and as .resources is listed as denied in the Request Filtering of IIS, the file is not delivered by IIS if you access the Url https://www.mysite.com/Po...Myfile.pdf.resources. The Urls looks something like https://www.mysite.com/Li...0&language=en-US - and this is handled by DNN checking the folder permissions, so if the folder permissions are restricted for some role(s)/user(s) - and not "Everyone", a login is necessary.

More or less the same is valid for the "Database" type, the difference is that you don't see the file in the folder structure (in Windows Explorer, you only see the folder, but it seems to be empty), as it is saved in the DNN database. This could blow up your database, so don't use if if you have the size restricted by your hosting provider. 

In short: If you want to restrict access to a file to specific roles and/or users, you have to use the Secure or Database type.

Unfortunately, you can't change the folder type of an existing folder. You have to create a new (secure) folder and move the files there.

Happy DNNing!
Michael 

That is how the default works: you put a file on a location on your server. If someone knows the location, they can see/download the file. Pretty much FTP-like.

As James mentioned, if you need more security, use the folder options

Another thing to mention is that DNN 8.0.3 is quite old and has some security issues. You should upgrade to the latest version as soon as possible.

Happy DNNing!
Michael

Michael,
When you say "You have to create a new (secure) folder and move the files there." Can I move the files through the file system such as windows explorer or do I need to upload them all through the DNN UI??

Thanks again for all the help. Much appreciated.

Mike

Mike,

you can move the files using Digital Assets Manager (the File Manager in DNN), or with the new Resource Manager (which is available in DNN 9.8+). Don't do it using Windows Explorer. And check if the links to the files are still valid after moving the files (propably not).

Happy DNNing!
Michael

Is there a way of creating secure folders using IIS authorization instead? We discovered that our secure folders that we made secure through IIS in 2018 are no longer secure, now it is 2022. This worked for us in the past but we discovered recently that our "secure" or restricted files are now visible to a user that doesn't require a login. We would prefer not to use the DNN secure folder. Some of our staff members do not like the LinkClick.aspx handler. We have a private site that has two layers of security. Thanks.

Hi again,

Let me add... an unauthorized user can access a URL, the same as the original person who posted the question.

Please contact [email protected] for security issues.