Administrator manual

As an administrator, we make your life as lightweight as possible, unlike other similar extensions. The only point you need to tackle is to prevent direct access to /fileadmin/ at the web server level.


You are naturally free to adapt the configuration to leave /fileadmin/ free to access but enable access check only for a given list of subdirectories. If so, your web server will bypass any possible restrictions the users defined to files and directories you choose to never ever protect.

Installation (Apache)

Edit file .htaccess (or your virtual host) to read:

RewriteCond %{REQUEST_URI} !/fileadmin/_processed_/.*$
RewriteRule ^fileadmin/.*$ %{ENV:CWD}index.php [QSA,L]

BEWARE: Be sure to add this rule before any other related rule.

Installation (Nginx)

Edit your server block to read:

location / {
  rewrite ^/fileadmin/(?!(_processed_/)) /index.php last;

  # snip

or, if that better fits your setup, like that:

location ~ /fileadmin/(?!(_processed_/)) {
  rewrite ^(.+)$ /index.php last;

Access to exclude fields

In order for your editors to edit protection on folders, make sure they are granted access to the fe_groups field for Folder (tx_falprotect_folder):

Granting access to updating folder permissions

Similarly, editing protection on files requires access to following exclude fields of File Metadata (sys_file_metadata):

  • Visible (visible)

  • Start (starttime)

  • Stop (endtime)

  • Access (fe_groups)

In addition, make sure to allow "modify" access on both tables tx_falprotect_folder and sys_file_metadata.

Security considerations

By design, the "_processed_" folder (/fileadmin/_processed_/) is not protected and its content (thumbnails or resized/cropped images) is always freely accessible. The rules above exclude this directory from useless processing by TYPO3 but even if you ask to process absolutely everything by this extension, files within the "_processed_" folder are always public.

NOTE: Since version > 1.2.0 all ProcessedFiles are resolved to the original FAL resource. As result you can also protect the "_processed_" folder, if the resolution of the original file rights is correct for your purpose.


TYPO3 supports the concept of a recycler folder where deleted files will automatically land, if that folder exists:

Recycler directory

You may create as many recycler folders as you want by simply creating new folders with the name _recycler_. The behaviour is that any deleted file will land in the "nearest" recycler folder.

As such, a protected file may land at a higher level in the folder structure and thus be suddenly publicly available.

We think that files within a recycler folder should never be publicly accessible and would suggest administrators to block direct access to any recycler folder at the server level (taken from the suggested configuration for TYPO3):


RewriteRule _(?:recycler|temp)_/ - [F]


# Restrict access to deleted files in Recycler directories
location ~ ^/fileadmin/(.*/)?_recycler_/ {
  deny all;
  access_log off;
  log_not_found off;

404 or 403?

By default, the extension will return a 404 Not Found error if a file is not found. This is a security measure to prevent attackers from guessing file names. If you prefer to return a 403 Forbidden error instead, you can do so by changing the default setting in the extension configuration.