Hide media libraries files from public

Are you testing on a browser with cache cleared and you being logged out of the Admin interface with your admin account?

@Breden Kehren. Correct. Im in a new cleared cached and (and history for good measure) browser.

In our experience securing media libraries, three things have to happen (and this may not be 100% accurate but we've found these options to work the best) -

1. Settings > Content > Media > Use permanent URLs must be ON.
2. Settings > Content > Media > Check files permissions must be ON.
3. Set the appropriate permissions on the Media Library you want to secure.

Then, when accessing or linking to media in the media library, ALWAYS use the /getmedia/ABCD-...-123/File-Name URL. This will check permissions. If you use the direct file path, permissions are not checked.

The opposite works for me. Using the Direct path checks for the permission. But the Relative/Permanent link the permission is not checked. How can I switch it around to the way you have yours.

What version of Kentico are you running?

I'm not sure what would cause the opposite to happen - I would assume that the GUID / permanent URL would go through the Kentico system because it has to resolve it. Using a direct path means that IIS can serve the file directly (because it's physically located on disk on the server), so no Kentico permissions can be checked.

Do you know if you have the runAllManagedModulesForAllRequests="true" option enabled on the system.webServer/modules section in your web.config file? That may have an effect on it, as well.

We're using kentico 7.

Before we make these changes, Do you know what does the setting change and how does it affect the rest of the system?

Oh, sorry, I'm only familiar with 8+... (K7 is 5 years old now!) I couldn't tell you what the behavior of those settings are in 7, or even if those settings exist!

Dcode,

The config change Jake suggests won't break your site. It is needed in v7 for extensionless urls and a few other features. Check out the IIS Documentation on the modules node.

@Brenden Kehren and @Jake Burgy I confirm that these settings are already set as true in K7.

Alternatively, is there a way to redirect a URL that matches a path to my login page instead of the CMSDESK (I was hoping I can do this in the Random Redirect webpart):

Example: https://www.xxx.com/site/media/gallery/folder/fileA.pdf
https://www.xxx.com/site/media/gallery/folder/fileB.pdf
https://www.xxx.com/site/media/gallery/folder/fileC.pdf

Yes, but this is outside the scope of Kentico, you would do this at the IIS level using the URL Rewrite module.

Here is some Microsoft documentation on how you can redirect certain pages, paths, folders, etc. to a different location based on some criteria:

https://docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/creating-rewrite-rules-for-the-url-rewrite-module