Hello,
I'm Babeth and i'm french, maybe i don't write with the good words but i'm trying.
A friend has installed elgg to have a network around the music. That's ok, it worked since 2 years here : http://punxrezo.net (in french because we're french)
Today we are trying to make it better. i'm helping. My speciality is the RSS files.
With Elgg, i've got a problem with the urls in the enclosure of the RSS files. (= the media files)
We have : http://punxrezo.net/pg/file/all/?view=rss
But what i want, it's the "REAL" link of each files. I mean i want the links with the .mp3 or .doc or .flv or .something extension. (in the media files)
In mod>file>views>rss>file>encolsure.php, there is this code to have the enclosure url :
if (elgg_instanceof($vars['entity'], 'object', 'file')) {
$download_url = elgg_get_site_url() . 'file/download/' . $vars['entity']->getGUID(); /** en fait quoi que je change ça changera dans l'enclosure pour l'apparence, MAIS le lien à télécharger a une URL absolue mais modifiée quand même. Cette ligne donne l'url relative qui s'affichera et l'url absolu de téléchargement existe en fonction de cette url relative. */
$size = $vars['entity']->size();
$mime_type = $vars['entity']->getMimeType();
echo <<<END
";
I think (but it's just a thought, i'm not really a pro) i have something to change in the code, but i don't know exactly what. Is it possible to have the "REAL" urls ?
Thank you for your answers. (we are installing an 1.8.16 Elgg)
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
There is no 'direct url' as all the files are stored in the data directory which is (should be) protected and outside of the public domain.
Thank you for the answer Matt. I have read something like this, but i still don't understand. Can you explain me more please ?
I mean, what kind of protection exactly ? If i create a simple website, and put image or mp3 audio on it, i can give the "direct url", i don't think there is a security problem.
For exemple, all the podcast websites gives their "direct link" in their RSS2 file.
Why Elgg protect the urls ? Is it for the security or to prevent anyone to download them ? If we show the "direct urls", what sort of problems could happen ?
Our purpose is to allow anybody to download the files.
I'm personally interesting in podcast, and an RSS2 file is looking like this : http://feeds.feedburner.com/PodcastScience There are ALWAYS the direct links in the enclosure, and because of that, anybody can download the audio of his choice in the aggregator he wants (iTunes or any else).
So, can you please tell me more about this ?
And if "direct urls" is really impossible, how could i have "override urls" with the extension ".mp3" or ".ogg" or ".flv" or ".anything" ? Maybe what i want will work if the url is an "override url" with an extension.
(PS : still french, sorry for my english writing, again)
the files are stored in the data directory that is secure and away from the publicly accessible core elgg (php) files so that files which are marked as 'private' or some other level of security are not available by default to all visitors. the default security level for files that are stored by elgg needs to be 'not public' (hidden) and then elgg can allow some access to be given to whichever files the users wish to share, by using elgg's access/privacy settings/logic.
if you show the direct urls there is no problem except that, depending on how this is done, elgg's security features mayl not work for those files.
you could either store them outside of the elgg data folder, perhaps in a folder in a custom plugin.. which is not really the ideal solution for various reasons.. or you could write some code to somehow map the true filenames to the elgg datastore urls.. which might be technically innefficient.
the best solution would probably be to add a feature to 'elgg core' and/or 'file plugin' to expose the true url filenames within the file plugin instead of only having the option of a url that ends with a GUID (entity identifier key number).
i concur that that is a useful feature.
The other issue is that of security - there are a number of hacks that can be performed with craftily formed images/pdfs. This is not an issue if you are running a site and uploading files to be consumed by visitors like in a CMS such as drupal or wordpress. In a social network though, arbitrary files are uploaded by *anyone* and consumable by *anyone*. Keeping a php bridge between the end user and the actual file on the operating system prevents a number of security issues. You're asking for trouble giving direct upload and access privileges to unverified users.
why does the php bridge aspect prevent the use of full urls here?
if images/pdfs are uploaded via the existing elgg system, their content/structure (beyond name) remain as they are uploaded as far as i am aware.
Oki, i understand why i can't have the "direct urls". Thank You Matt and Ura.
Instead of, can i add a little modification to the "override urls" ?
For exemple, in our social network Punxrezo, the RSS file for the audios is : http://punxrezo.net/mod/file/search.php?subtype=file&md_type=simpletype&tag=audio&page_owner=0&view=rss
And the audios' urls in the enclosure (= media files) is like this : "http://punxrezo.net/pg/photos/download/50323/"
Is it possible to modify the code to have files extensions in the override urls, like this : "http://punxrezo.net/pg/photos/download/50323.mp3"?
@babeth: that is possible, yes..
most features and ideas you can think of that a website 'could' do, can be coded...
the relevant question is 'how do we do this?' ;)
i don't know enough about how the elgg core code is processing files and file requests to comment much presently. i am looking to learn.
this feature would need to either be it's own plugin or a core change since multiple other plugins all access the elgg filestore system and the change needs to effect all of them (or at least be a feature that they could all access if they are updated - tidypics/file and others).
I don't understant, there is a useful Elgg function for this feature : getFilenameOnFilestore() and it works fine (real path+filename)
that command will produce the local filename, not the internet address (url)..
so the process of exposing the file is more complex than just a simple one line change.
Sorry to bring this up again.
So it is not possible to show/get the actual URL of the file?
- Previous
- 1
- 2
- Next
You must log in to post replies.