Note on security
Allowing users to access your server and files can lead to security risks. That’s why FileGator has a whole set of security features implemented out of the box reducing that risk to minimum. These features include:
- Users can login to system only if you grant them access.
- You can grant read-only permissions and disable upload and write operations.
- Special .htaccess file inside repository folder prevents users from executing php and other scripts. Check if this is working (see below).
- Filesystem operations between browser and server can be encrypted with mcrypt function. This can be enabled with config parameter encrypt_url_actions.
- Users cannot exit their own home folder.
- In users database file passwords are encrypted. This file is protected with .htaccess and can be stored outside web root folder on secure location.
If for some reason you need very strong security you can improve security even more by following these security guidelines:
- Always use the latest FileGator version.
- Pick strong passwords for users and admin, disable changing passwords if necessary to prevent users from picking weak passwords.
- Relocate config/config.json file outside web root folder.
- Check if users can execute php scripts by uploading test.php file to user repository. If 403 access forbidden error is thrown when user clicks on test.php file then this security feature is working. Beware that .htaccess works on Apache servers only.
- Enable url encryption for filesystem actions in config section (encrypt_url_actions = true). When this function is enabled server will accept only encrypted filenames for all operations.
- Grant access to the users you trust, not everyone.
- Enable ssl on your server and accept only https connections. This way all communication between user and server will be encrypted. You may need to adjust base_url inside config.
- Use repository folder outside web root (public server path) and disable “allow_file_links” and “use_lightbox_gallery” in configuration.php
- Do not use shared hosting or shared servers.
- Test everything with non-critical data.
If repository folder is under filegator (or under any other “public” server path) then files will be accessible trough the URL and users knowing the right URL can download the files. This is default because filegator is a file manager and many people have chosen it so they can easily manage existing web sites and other “live” content. If you want to hide files completely you can still do that by setting repository folder outside filegator (on some safe location). As an alternative you can edit .htaccess file inside repository folder and put “Deny from All” there which will block all direct file access. If you do this, users can only use download button inside filegator to download files, email and direct links will have to be disabled in this case (configuration.php)
And remember, you are solely responsible for your files, server and data. If you have very sensitive data do not use this or any other software or digital storage – store your data in safe-deposit box in a bank you trust.