How can I prevent media stored in Pimcore Media Management from being delivered without access restriction? What options are there to restrict access to assets?
Pimcore has a powerful and convenient media management system. It is therefore obvious to use this media management as a digital asset management (DAM) system. If images and videos are used in a document that is subsequently published, these media must also be publicly accessible. Therefore, all media from Pimcore Asset Management are accessible in the standard. The only requirement for access is that the address of the asset is known.
If I want to use media management as a DAM system, I also want to store and manage media regardless of their specific use. There may be confidential documents that are not intended for the public.
The simplest way to restrict access to the DAM is to apply the following rule
RewriteCond %{REQUEST_METHOD} ^(GET|HEAD)
RewriteCond %{DOCUMENT_ROOT}/var/assets%{REQUEST_URI} -f
RewriteRule ^(.*)$ /var/assets%{REQUEST_URI} [PT,L]
delete from the .htaccess file in the "public" directory of the Pimcore root directory.
This means that only images and videos for which a thumbnail has been created will be delivered.
Thumbnails are variants of original files that have been modified by an image processor. For example, different resolution variants of an image can be created for differently sized viewports in responsive design or coding can be changed for the delivery of videos. However, the thumbnails are delivered from a different directory. Access to media management can be restricted by removing the above rule and the originals are no longer freely accessible. Access to PDF and Office files for which thumbnails cannot be generated is therefore also no longer possible.
In order to further restrict access and to enable access to certain media again, it is necessary to program a Symfony controller. With the help of a controller, more complex rules for access to the media can be programmed.
A simple rule, such as making all files from a certain folder (e.g. public) freely accessible regardless of the format, can be stored as before via the .htaccess file.