Secure links with access control profile, scheduling and moderation


We intend to secure the download link with the access control defined in the KMC. Especially we would like to check if the referer of the request is one defined domains in the access control profile.
In result that the entries, which are secured with a access control rule, are no longer accessable through the generated links like “” if they dont match the access rules.
In addition if the entry is in moderation it should not be accessable with this link and even if the scheduling is expired it should deny the access.
We would like to implement a solution in the right part of the code. Where could we achieve a solution for this?


Hello @roger78,


Do you mean you’d like to set up access control and moderation using the API as opposed to setting it up in KMC? If so, then you need to use the [accessControlProfile API] (

And then you can set accessControlId on the media object for the entries you want that access control profile to apply to.



We would like to apply the restrictions of the access control profile, scheduling and moderation in th KMC to these links which serves the video players.
The cause of this is, these links are always available for download and further embedding in other sides without any error, even if no access control profile, scheduling or meoderation state are allowing this.

We are looking for the right place in the code where we could implement some code to make these links:
more secure

The reason is the privacy of the entries so they should not be easily downloadable or sharable this way.

One solution could be we change the RewriteRule in the apache configurations
RewriteRule (?<!extwidget)/serveFlavor/(.*)$ /index.php/extwidget/serveFlavor/$1 [L]
to an own script which checks the restrictions and let them head to /index.php/extwidget/serveFlavor/$1 or not.

but I am looking for the part of code where the /index.php/extwidget/serveFlavor/$1 me leads to.

Thank you