Only allow access to a file if logged in to the CMS [SilverStripe]

Question

When a user creates a booking via this website, an invoice (pdf) will be generated and saved in assets/invoices. Only staff members will access these to download and email to the clients. However, at the moment if the exact URL is known by somebody they are able to access it whether they are logged in or not. I am trying to restrict access to these files for those logged into the CMS only. Is there a way to do that via some permissions module?

Answer 1

Is Secure Assets the module your after: https://github.com/silverstripe-labs/silverstripe-secureassets

With it you can set permission for Files/Folders "that mirrors the access restrictions of sitetree pages".

Answer 2

I've made a module a while back to do this. https://github.com/colymba/ss-privateassets

You could try it or use it to write your own.

Answer 3

When I tried to achieve this through modules I was not getting any results. What I did to achieve this was adding a private folder in the assets directory, having all my secure files within this folder. I added a htaccess file within the private folder containing:

<IfModule mod_rewrite.c>
SetEnv HTTP_MOD_REWRITE On
RewriteEngine On
RewriteBase /

RewriteEngine On
RewriteCond %{HTTP_COOKIE} !cookie_name=cookie_value; [NC]
RewriteRule ^ /page-not-found [NC,L]

This code checks for a specific cookie name and a specific cookie value, if this condition is not met it will redirect the user to the page-not-found url.

Within an extension to a booking system in the CMS I had present, I set the cookie. This cookie was then set upon logging into the CMS, if a user did not have this cookie they could not view any of the files/folders within the /assets/private directory.