How to protect the access to the documents in a course?

From ClarolineDoc

A thread of the forum:2242 talk about this problem.

Description of the problem.

To preserve ressources, documents tool links directly to documents. With this method, user agent are directly connected to Apache to download documents without runing php. But if php doesn't run, php doesn't check security values.

Table of contents
1 Solution 1 : with .htaccess
2 Solution 2 : all doc through php
3 external ressource

3.1 In French

[edit]

Solution 1 : with .htaccess

Check if the user comes from a php script of Claroline. This is the solution explained in our forum (http://www.claroline.net/forum/viewtopic.php?t=2242)

APACHE solution, the best (but needing Apache)

Sample for campus on http://www.mycampus.tld/ for course FOO Code: 

 AuthName "-- Foo documents protected --"
 AuthType Basic
 SetEnvIfNoCase Referer "^http://www\.mycampus\.tld/FOO/document/" local_ref_FOO
 SetEnvIfNoCase Referer "^http://www\.mycampus\.tld/claroline/" local_ref_FOO
 Order Allow,Deny
 allow from env=local_ref_FOO
 ServerSignature Off
 ErrorDocument 403 http://www.mycampus.tld/
 IndexOptions FancyIndexing

[edit]

Solution 2 : all doc through php

  • If you don't have Apache, another solution is to let document php load the doc and send it you by on-fly stream (a script php reads the content and sends the body as it is itself the document. Awfull but very secure with other web servers.
[edit]

external ressource

[edit]

In French

Retrieved from "http://doc.claroline.net/en/index.php/How_to_protect_the_access_to_the_documents_in_a_course%3F"