tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 12:05:37 +00:00
Code Issues Projects Releases Wiki Activity

DOCS Warning about protected file serving in 4.x

Browse Source
This commit is contained in:
Ingo Schommer 2019-08-23 16:09:31 +12:00 committed by Robbie Averill
parent 9a76d4adb4
commit 229df95fe9
3 changed files with 20 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/en/02_Developer_Guides/14_Files/03_File_Security.md
View File

@ -333,7 +333,7 @@ any requests to the assets directory. Invalid files will be blocked regardless o
exist or not, and will not invoke any PHP processes.
</div>
### Configuring: Protected file headers
### Configuring: Protected file headers {#protected_file_headers}
In certain situations, it's necessary to customise HTTP headers required either by
intermediary caching services, or by the client, or upstream caches.

17
docs/en/02_Developer_Guides/14_Files/05_File_Migration.md
View File

@ -100,6 +100,23 @@ SilverStripe\Assets\Flysystem\FlysystemAssetStore:
keep_archived_assets: true
```
## Review draft/protected files served through PHP
In SilverStripe 3.x, files were always public. This allowed them to be served
directly by your webserver without performing any checks in PHP logic (e.g. permissions).
In SilverStripe 4.x, this behaviour is retained for public and unprotected files.
If files are in draft, or are protected by additional permission checks,
they are now served via PHP. Although those additional requests are fairly lightweight,
you need to take them into account in your capacity planning (e.g. max workers configuration).
Webserver environments handle HTTP responses for files,
for example adding `Content-Type`, or adding cache headers configured
via `.htaccess` or other webserver configuration options.
These headers impact the behaviour of how browsers and intermediary layers
such as proxies and CDNs. See [File Security: Allowed extensions](file_security#file-types)
and [File Security: Protected file headers](file_security#protected_file_headers) for details.
## Migrating substantial numbers of files {#performance}
The time it takes to run the file migration will depend on the number of files and their size. The generation of thumbnails will depend on the number and dimension of your images.

2
docs/en/04_Changelogs/4.0.0.md
View File

@ -40,6 +40,8 @@ For users upgrading to later versions, please see the specific [4.1.0](4.1.0) an
* Asset storage has been abstracted, and a new concept of `DBFile` references via database column references
now exists in addition to references via the existing `File` dataobject. File security and protected files
are now a core feature ([details](#asset-storage))
* Assets are uploaded as drafts by default, and need to be published (often as part of pages) ([details](#asset-storage))
* Draft and protected assets are served by PHP rather than the webserver ([details](#asset-storage))
* Asset admin has been replaced with a purely ReactJS powered upgrade, and split out
module called [asset-admin](https://github.com/silverstripe/silverstripe-asset-admin/).