Hello!

I have my attached files stored in a folder in forum (forum/attached). The thing is that I only give permissions to download attached files to registered users. However anyone can access to my attachement folder only browsing with their navigator going to the url: http://mydomain.com/forum/attached

Is there any way to avoid this kind of access?

Thanks in advance!:up:

Will it work if I change this folder permissions to chmod 666?

Interesting, I guess I never paid attention to this but you are right. A couple of things to consider are that the actual URL is never given so someone would have to know the name of your attachment directory. The other thing is that the files are non-descript eg. file.attach so there is no telling what that file actually is.

Still, protecting it is a good idea. You can drop a simple blank index.htm in the root of your attachment fold and it won't be accessible. To do this create a blank .txt file and rename it to index.htm and upload it into the root of your attachment folder.

Still, protecting it is a good idea. You can drop a simple blank index.htm in the root of your attachment fold and it won't be accessible. To do this create a blank .txt file and rename it to index.htm and upload it into the root of your attachment folder.

Based on how the files are stored (/attachments/u/s/e/r/i/d/ or /attachments/userid/) you can still see the directory listings knowing the userid of the person you want to see. (Since you don't have a index.htm file in every directory)

The way to make it so no one can see the listings is to just redirect people when they try to go there.

So just create a .htaccess file and put this in it:
Redirect permanent /forum/attached/ http://localhost/forum/ (Changing the URL accordingly)

Or couldn't you just simply add the following to your .htaccess for the attached folder:

Options All -Indexes

I like this two last options because if i have to insert an index file in every folder could be much work.

Right now I set my folder with permissions chmod=666 and it is working alright but I have to test it. When you try to access it gives a 'forbidden' error and I like this because people know they are acting in a wrong way ;-)