deny versus not found

[raybob]

1) When trying to hotlink to a folder/file that is under a protected directory and that doesn't exist, you are directed to the ~not found page.  Ex., a user tries to get /test/test2/ , while test2 doesn't exist and they don't have permission to access the folder test.

2) When trying to hotlink to a folder/file that is under a protected directory and that does exist, you are directed to the ~login page.  Ex., a user tires to get /test/test3/ , and is denied because they can't access the root folder /test/

The only flaw with this is that users are able to verify the existence of folders/files, even if they don't have access to them.

Personally, I think it would be more secure to make it so that both scenarios end in the same result, being redirected to ~deny rather than login or not found, this way a user can't verify that an actual file exists.

If you can't make this happen by default can you at least add an option for it?  Or is there already some way to do it already?

[r][m]

If you have
Menu > Virtual File System > List Protected Items Only For Allowed Users
check marked they can only see what you have given them access to.
Eliminates the need for a error page.

[raybob]

I already have that checked.

What I'm talking about here is hot-linking, and being able to verify the existence of folders/files even without access, based on the redirection to ~login or ~not found.  The ideal way would be to redirect to ~login or ~deny always, whether the file is there or not.

[r][m]

OK, I overlooked that,  but how do users obtain a hot link?
It would seem, someone with access (that can see it) would have to share it.
Would it be possible to do an event script to block these?
It's never been a problem here, so I'm not familiar.
Would something structured like

Code: [Select]

[+request]
{.if|{.match|.php;.js|%url%.}|{:{.disconnect.}:}
.}in events be made to stop hot linking?

How exactly is a hot link structured? Does it always contain @ for the login?

Edit:
This events macro works for php and js hack attempts when HFS runs in Windows,
but not on Ubuntu 11.04/Wine. In windows the macro wont work with @ because, apparently
the browsers don't recognize @ in
https://user:pass@ip address:port/Folder1/Folder2/File-name.ext
as being part of the url........so.... still think there could to be a way.
I'll experiment more tonight after work.

[raybob]

It's really not that much of a problem I just thought it could be better.

My end goal here is that when directly linking to a non-existent file in a protected folder, the user is redirected to the same page as if the file did exist, e.g. ~login or ~deny, rather than ~not found.

[rejetto]

Currently this is out of question, it cannot be done.
HFS is using http authentication, and there's no login-then-browse logic like other servers.
When you see the login it's not because HFS asked a login. HFS said to the browser "error: you are not authorized".
Any file is protected on its own, having a login-for-access logic. So HFS must offer authentication.

[raybob]

Really?  Oh....  Anyway I got it to work but my solution will not work for everyone.

Reason being is that I recently wrote my own macro-based authentication system (which is very possible to do, I might make a topic for it because it works as well as before + now there's a sign out button and better functionality).

All I had to do was move the part under [download] in hfs.events that authenticates users (custom code) to the [request] section and now it acts the same whether the file exists or not.

[rejetto]

o_O