Child pages
  • [in-commerce] File Download Without Authorization [5.0.2]
Skip to end of metadata
Go to start of metadata

Imported From:

I've tested the Download product type.

Once order approved, the download is available in "My Downloads", as expected, and the download link is http://website.tld/products/in-commerce/elements/download.elm/test.html?env=file.downl--- .

I've been very surprised to discover that this download link works anytime, on any other browser, even after I logged out. How does filtering on download permissions applies? Does this problem belong to my local installation?


  1. Hi Phil,

    Did you have a chance to test this on 5.0.2 just yet?


  2. As you can see in Phil original post it's already in 5.0.2 installation in
    Wamp server.

  3. I've tested on 5.0.3 version and when I have no permission to download
    products file and I visit file download link (obtained from user, who has
    right to download that file), then I get "File Access permission check
    failed!" message and no file is sent to user.

    Here is the link I've used: ""
    (on "advanced" theme).

    If you are talking about direct link to file from "/system/downloads"
    folder, then you should check, that ".htaccess" from that folder is read by
    webserver configuration.

    If you are talking about ability to be able to directly

  4. Hi Phil,

    You should check this on 5.0.3 on your end and update this discussion.


  5. Hi Dmitry,

    I've planned to check on this later this week or beginning of next one.


    2010/3/25 Dmitry Andrejev <>: