Introduction
What does it do?
This extension protects everything within /fileadmin/
based on
associated folder and file restrictions (visibility, user groups and dates of
publication):

Unlike other similar extensions securing the File
Abstraction Layer (FAL) of TYPO3, this extension aims at making it
straightforward to block direct access to your sensitive assets and to keep
the exact same URL as if your /fileadmin/
would not be protected; this
is thus totally transparent from a user perspective.
No need to configure anything, just install and enable as usual, block direct access at the server level (Apache/Nginx see below) and... that's it!
Our motto? KISS!
How does it work?
The idea is to block direct access at the server level so that your Apache or Nginx web server delegates the handling of static assets to a small script within this extension which ensures any file and folder restrictions are enforced.
By design, the "_processed_" folder (/fileadmin/_
) is not
protected and its content (thumbnails or resized/cropped images) is always
freely accessible.
There is another design choice that is worth mentioning: access checks are bypassed in Frontend while you are authenticated in the Backend as a TYPO3 administrator. So if you want to double check your security measures are working properly, be sure to use another browser/session or ensure you are not currently authenticated as an administrator in the TYPO3 Backend.
NOTE: Since version > 1.2.0 all ProcessedFiles are resolved to the original FAL resource. As result you can also protect the "_processed_" folder, if the resolution of the original file rights is correct for your purpose.
Differences with similar extensions
We have found two similar extensions with their own differences to this extensions:
-
- changes the download URL (using the
eID
concept from TYPO3 core, non-public storages); - only file links from non-public (protected) storages go through security proxy
- provides Frontend-related components (a File tree JS component);
- is able to keep track of a count of downloads.
- changes the download URL (using the
-
- requires relatively complex configuration at the server level and as administrator in TYPO3 Backend;
- changes the download URL;
- supports more advanced use-cases like one-time download link.