Similarly to MediaUrl we could have an AuthorizedMediaUrl on MediaPart. This would point to an url that routes the file access through a controller action where content item permissions are checked for the media item. (This is only applicable to media
items that have a corresponding local file naturally.)
This would need the followings to work:
- The url of the real file behind the media item shouldn't be published, but this is up to the user.
- To mask the relative path to the real file the arguments the action gets to locate the media item's file shouldn't include the real file path. The arguments need to include the (or an) Id of the item to locate it but this can't be the numerical ID alone,
since we only want certain files to be accessible through the action (being able to fetch any media through a controller would cause a possible exploit for a DoS attack).
So this is what I propose:
Media items should have a unique but not guessable ID associated to them (e.g. a GUID). Their corresponding files, if existing, can be fetched through a controller action that only needs this ID. With the help of the ID it fetches the media item, enforces corresponding
permissions and returns the file named as the ID.
This is quite simple and would work with any media item without any further configuration and is developer friendly (because e.g. a media item shouldn't be set as "secret" by the user explicitly). However if the real path of the media is published
or is guessable (i.e. the user doesn't know exactly how this all works) it can be circumvented.
To overcome this (but this is just thinking aloud) there could be further services built on top of this feature, e.g. a part that hides the real URL everywhere and swaps it with the authorized one together with storing the file under a random file name....