This might be an absurd question, but I've been banging my head on this for a week now and have got no further than 'it just works that way'. Here's my problem.

We have a portion of our Joomla site that's devoted to teachers from other countries applying to come teach here in the US. Of course, part of the process is to upload various forms of ID, passport, state ID, etc to the site. These are all stored in a subdir of /media/k2/attachments/ directory. This isn't a huge problem if the user accesses the documents by logging into the site. However, since we also vet these teachers, our staff needs to be able to access those documents as well. Most of our vetting process workflow is in SalesForce. It was discovered that, if the full URL of the document is in the teachers SF record, it can be clicked on and the document is accessible without requiring a login.

(A non-working sample URL: www.domain.com/media/k2/attachments/cet_secured/)

Obviously, this is a major problem, which we've managed to sort of avoid by moving all those documents to internal storage accessible only via VPN. However, this doesn't address the larger issue of documents that are uploaded and not moved until the next cron job is run. It also doesn't prevent any external user from directly accessing ALL our attachments (identification or otherwise) from being accessible via full URL.

I can block all REFERERs using NGINX rules, but that isn't that much more secure since not all browsers support that header, and it can be spoofed with remarkable ease.

I can throw up an NGINX auth page, but that blocks the applicant from accessing those documents unless I come up with a secure way of handing them passwords.

We're looking at a PHP based option that ties into Joomla's auth mechanism, but surely there's a better way of fixing this.

I'm no Joomla expert (not since 1.0 at any rate), so are there options on how to lock this down either inside K2 or with an NGINX directive?

Hello,

To be honest, I would move the files from the /media/... folder into a folder outside the public_html folder so they are not directly accessible through the direct URL.

The "Change root attachments folder" setting in K2 can allow you to change the folder which the attachments are stored.

Honestly, I can't imagine how that would fix my particular problem. The media will still have to be available via a URL for logged in users to access. I mean if www.domain.com/media/k2/attachments/cet_secured/ is the current link, and I move the media to www.domain.com/data/attachments/cet_secured/, then it would still be the same problem. The link in SF would have to be altered to reflect the new location, which rather defeats the purpose of trying to lock down this media to logged in users only.

Maybe I'm missing something simple, but logically this doesn't make much sense to me.

I mentioned outside the public_html (or public folder).
This way there would be no direct URL for users to access.

Okay, maybe I wasn't quite clear enough on this, and for that I apologize.

The issue is that, when the users upload these documents, they will still access to them, if only to either upload newer copies, or edit existing documents. Not to mention the fact that our staff here will need to have access to the documents from SalesForce. One thing that might help clarify is that teachers applying to come into the US to teach aren't particularly creative with their filenames, and we'll need to track the documents with their UIDs in Joomla, in care there are users with the same filenames uploaded. It doesn't happen often, but it does happen.

Does this help?