Restricted access to documents and images (member only files)
If users have a direct link to a file, they will have the ability to download it (i.e. page permissions are not inherited by the files on those pages)
Restrict folders and the files in those folders by membership/administrative/group level
We are excited to announce the launch of the “Restricted access for folders” feature. It is currently available for use and we are closing the wishlist thread. Thank you for your patience and feedback that help us to make this feature most useful for you.
Here’s how it works:
- You now have the ability to set permissions on folders. All files and subfolders inside are automatically assigned the new access level.
- When a new file is uploaded into this folder or sub-folder, it is automatically assigned the same level of access.
- Within the restricted folder, the administrator is still able to change the access level for individual files and subfolders.
- The new functionality is also available in the Insert resource dialog.
This is an important feature as once something is google indexed it never goes away,
Our organization also requires this. I suspect EU rules would also mandate that security of this nature be implemented on documents.
Please add us to your list of those in favor of such a feature!
We post a newsletter (subscription only) as a pdf. We found that subscriber numbers went down a bit this year because a few less scrupulous members were sharing the link with other members who 'cried poor' about signing up for a very reasonably priced information packed newsletter.
While I wont tell you what you have to or need to do - I'd very much appreciate this feature as an added value to an already excellent product.
Thanks for all you do.
One of the major reasons that you need to provide directory permissions is not so much giving access to new members. but more importantly, removing access to members that discontinue their membership. You can't move all the files to a new directory every time someone discontinues their membership. It is ridiculous to rely on a "secret" directory for security to preserve security. I have software myself that will track down any and all directories on a website whether or not they are "linked" to or not.
You need to implement some sort of .htaccess file in the directory to be protected that verifies that anyone trying to access the directory is authorized currently (i.e. some sort of database cross check).
I am not currently a user of Wild Apricot, but I am actively looking for a better solution than what I have currently. I was very interested in your program until I saw this was an issue. I must be able to selectively protect specific directories and grant and take away access rights to users.
We are also interested in this feature as described:
Security holes are unexpected security problems - this functionality works exactly as designed and we clearly explain this in help.
We do understand why people want to change this and the importance for some organizations so this is progressing in our development pipeline.
This absolutely positively must be fixed. I really like WA and have many many clients using it but this is disturbing. So basically the files are secure as long as you: 1) don't use a 3rd party search engine, 2) you don't post a link to it anywhere, and 3) no one emails a direct link to someone? So someone can simply log out and then see whatever they like.This simply must be fixed. Can't simple IIS security take care of it? As a web developer my clients trust me to provide solutions and I am going to have to ensure that they know files are accessible.
~ Carrie Knight, Blue Pixels Media
Thanks for posting. I have merged your posts into existing thread.
Quick comment for now: your files can now be accessed only if somebody knows a direct link to a particular file (and if that link is posted on a public page, search engines would index the file). So if your files are named in a non-obvious way and you only link to files from member only pages, there is no way for unauthorized people to access them. The exception of course is if a member shares a link with someone - though you can't really prevent this since anyone who has access to file can download and forward it anyway. [/quote]
I also want to vote for this feature. I have several sites that could benefit from secure documents.
It would be important to have secure documents only members can see and also documents only system administrators can see.
Evgeny Zaritovskiy commented
Cannot add anything more than already shown here -http://forums.wildapricot.com/forums/308932-wishlist/suggestions/8827717-roadmap-2015-plans-releases-expected-dates
CVMG web Administrator commented
[quote user="Apricot Kernel"]Sorry, no solid ETA - somewhat second half of this year. [/quote]
Just following up - so in place for end of 2014 then ?
Evgeny Zaritovskiy commented
Sorry, no solid ETA - somewhat second half of this year.
CVMG web Administrator commented
[quote user="Chief_Apricot"] This will be added for sure - the only question is when. Curently this is one of the top candidates for version 5.1 (~ end of this year). See http://www.wildapricot.com/blogs/newsblog/2013/03/27/wild-apricot-software-news-march-2013---state-of-the-(wild-apricot)-nation [/quote]
I was just following up on this and wondering if there were a more solid ETA for this feature ? It is something we have expressed interest in a number of times in conversations with your support people.
Not sure what you mean by preview - but public visitors can only view your documents if they have an exact link to a specific document. They cant view/browse your list of documents.
Alice Brown commented
Is there any way to restrict preview of ducument publicly?
Cathie Izor commented
Please add our interest in secure documents for restricted users. I would like to establish an Archives folder of minutes, financial reports, etc. that only board members could access. Currently all our board members have read-only access and we have set them up in a group also. This is the only group I would like to be able to access our archives. These files are pretty small so I know they won't take up much space in our data storage limit.
Actually, I went digging around today to set up this folder and found that any document we have can actually be accessed by anyone who knows that link. That's mostly not a problem since the docs and photos we currently store are not sensitive. But I'd REALLY like to be able to have a secure folder for our archives.
Glad to see that others have wanted this and that it is creeping closer in the master plan.
Consider this one more organization that really wants this.
This will be added for sure - the only question is when. Curently this is one of the top candidates for version 5.1 (~ end of this year). See http://www.wildapricot.com/blogs/newsblog/2013/03/27/wild-apricot-software-news-march-2013---state-of-the-(wild-apricot)-nation
Kimberly Reese commented
I've seen this posted several times in other locations of the Community, but didn't see it mentioned here.
WA needs to provide the ability to secure documents / files with some sort of .htaccess type process. My organization has mission critical information that needs to be available to our Active members, only. I've been using the trick of "only placing the document links on the restricted pages". But, it's only a matter of time before someone does something and Google crawls our stuff.
We love the WA functionality, and decided to go with this solution with the understanding that security would be added in an upcoming release. I know many other users have got to be scratching their heads on this issue as well. Will this be included?
Just wanted to throw my weight into the discussion: having secure document functionality is absolutely vital for my association.
My members are law firms - very conscious of security and risks....
I would also add that it is not crystal clear in the WA material. As a new subscriber to WA I wasn't aware of this weakness. It is a bit disappointing to discover it after time, energy and money invested in WA.
We would only know that once its scheduled in a particular release. However, our main focus for the next ~5 months is to polish and release the new CMS in version 5. In a few months we will decide whether this is included into the next version scope (5.1)
Bryan Buus commented
It's been over two years now since this topic was first broached. It's important to many of us. When will this be implemented?