Add support for $template->pagefileSecure option configured per-template. This also expands upon what $config->pagefileSecure could do before, now supporting the ability to secure Pagefiles even for public pages when appropriate.

wire/core/Config.php

@@ -149,6 +149,7 @@
  * 
  * @property string $userAuthSalt Salt generated at install time to be used as a secondary/non-database salt for the password system. #pw-group-session
  * @property string $userAuthHashType Default is 'sha1' - used only if Blowfish is not supported by the system. #pw-group-session
+ * @property string $tableSalt #pw-group-system Additional hash for other (non-authentication) purposes, present only on installations start from 3.0.164+. #pw-group-system
  * 
  * @property bool $internal This is automatically set to FALSE when PW is externally bootstrapped. #pw-group-runtime
  * @property bool $external This is automatically set to TRUE when PW is externally bootstrapped. #pw-internal

wire/core/Page.php

@@ -4107,6 +4107,26 @@ class Page extends WireData implements \Countable, WireMatchable {
 		return $this->filesManager; 
 	}
 
+	/**
+	 * Does this Page use secure Pagefiles?
+	 * 
+	 * See also `$template->pagefileSecure` and `$config->pagefileSecure` which determine the return value. 
+	 *
+	 * #pw-group-files
+	 *
+	 * @return bool|null Returns boolean true if yes, false if no, or null if not known
+	 * @since 3.0.166
+	 *
+	 */
+	public function secureFiles() {
+		if($this->wire()->config->pagefileSecure && !$this->isPublic()) return true;
+		if(!$this->template) return null;
+		$value = $this->template->pagefileSecure;
+		if($value < 1) return false; // 0: disabled
+		if($value > 1) return true; // 2: files always secure
+		return !$this->isPublic(); // 1: secure only if page not public
+	}
+
 	/**
 	 * Does the page have a files path for storing files?
 	 * 

wire/core/PagefilesManager.php

@@ -62,6 +62,14 @@ class PagefilesManager extends Wire {
 	const metaFileName = '.pw';
 	 */
 
+	/**
+	 * Count of renamed paths when changing between pagefileSecure and non-pagefileSecure
+	 * 
+	 * @var int
+	 * 
+	 */
+	static $numRenamedPaths = 0;
+
 	/**
 	 * Reference to the Page object this PagefilesManager is managing
 	 * 
@@ -528,7 +536,7 @@ class PagefilesManager extends Wire {
 	 */
 	static public function _path(Page $page, $extended = false) {
 
-		$config = $page->wire('config');
+		$config = $page->wire()->config;
 		$path = $config->paths->files; 
 		
 		$securePrefix = $config->pagefileSecurePathPrefix; 
@@ -541,39 +549,39 @@ class PagefilesManager extends Wire {
 			$publicPath = $path . $page->id . '/';
 			$securePath = $path . $securePrefix . $page->id . '/';
 		}
-		/* @todo 3.0.150:
-		$filesPublic = true;
-		if(!$page->isPublic()) {
-			// page not publicly viewable to all, check if files are public or not
-			if($config->pagefileSecure) {
-				$filesPublic = false;
-			} else if($page->template && $page->template->pagefileSecure) {
-				$filesPublic = false; // 3.0.150+
-			}
-		}
-
-		if($filesPublic) {
-		*/
-		if($page->isPublic() || !$config->pagefileSecure) {
+		
+		$secureFiles = $page->secureFiles();
+		
+		if($secureFiles === false) {
 			// use the public path, renaming a secure path to public if it exists
-			if(is_dir($securePath) && !is_dir($publicPath)) {
-				@rename($securePath, $publicPath);
+			if(is_dir($securePath) && !is_dir($publicPath) && $secureFiles !== null) {
+				$page->wire()->files->rename($securePath, $publicPath);
+				self::$numRenamedPaths++;
 			}
 			$filesPath = $publicPath;
 			
+		} else if($secureFiles === null) {
+			$filesPath = $publicPath;
+			
 		} else {
 			// use the secure path, renaming the public to secure if it exists
 			$hasSecurePath = is_dir($securePath);
 			if(is_dir($publicPath) && !$hasSecurePath) {
-				@rename($publicPath, $securePath);
+				$page->wire()->files->rename($publicPath, $securePath);
+				self::$numRenamedPaths++;
 
 			} else if(!$hasSecurePath && self::defaultSecurePathPrefix != $securePrefix) {
 				// we track this just in case the prefix was newly added to config.php, this prevents 
 				// losing track of the original directories
-				$securePath2 = $extended ? $path . self::_dirExtended($page->id, self::defaultSecurePathPrefix) : $path . self::defaultSecurePathPrefix . $page->id . '/';
+				if($extended) {
+					$securePath2 = $path . self::_dirExtended($page->id, self::defaultSecurePathPrefix);
+				} else {
+					$securePath2 = $path . self::defaultSecurePathPrefix . $page->id . '/';
+				}
 				if(is_dir($securePath2)) {
 					// if the secure path prefix has been changed from undefined to defined
-					@rename($securePath2, $securePath);
+					$page->wire()->files->rename($securePath2, $securePath);
+					self::$numRenamedPaths++;
 				}
 			}
 			$filesPath = $securePath;
@@ -587,6 +595,22 @@ class PagefilesManager extends Wire {
 		return $filesPath; 
 	}
 
+	/**
+	 * Get quantity of renamed paths to to pagefileSecure changes
+	 * 
+	 * #pw-internal
+	 * 
+	 * @param bool $reset Also reset to 0?
+	 * @return int
+	 * @since 3.0.166
+	 * 
+	 */
+	static public function numRenamedPaths($reset = false) {
+		$num = self::$numRenamedPaths;
+		if($reset) self::$numRenamedPaths = 0;
+		return $num;
+	}
+
 	/**
 	 * Generate the directory name (after /site/assets/files/)
 	 * 

wire/core/Template.php

@@ -81,7 +81,7 @@
  * @property int|bool $noAppendTemplateFile Disabe automatic append of $config->appendTemplateFile (if in use).  #pw-group-files
  * @property string $prependFile File to prepend to template file (separate from $config->prependTemplateFile).  #pw-group-files
  * @property string $appendFile File to append to template file (separate from $config->appendTemplateFile).  #pw-group-files
- * @property bool $pagefileSecure Use secure pagefiles for pages using this template? (3.0.150+) #pw-group-files
+ * @property int $pagefileSecure Use secure pagefiles for pages using this template? 0=No/not set, 1=Yes (for non-public pages), 2=Always (3.0.166+) #pw-group-files
  * 
  * Page Editor
  * 
@@ -272,7 +272,7 @@ class Template extends WireData implements Saveable, Exportable {
 		'noAppendTemplateFile' => 0, // disable automatic inclusion of $config->appendTemplateFile
 		'prependFile' => '', // file to prepend (relative to /site/templates/)
 		'appendFile' => '', // file to append (relative to /site/templates/)
-		'pagefileSecure' => false, // secure files connected with page? (3.0.150+)
+		'pagefileSecure' => 0, // secure files connected with page? 0=Off, 1=Yes for unpub/non-public pages, 2=Always (3.0.166+)
 		'tabContent' => '', 	// label for the Content tab (if different from 'Content')
 		'tabChildren' => '', 	// label for the Children tab (if different from 'Children')
 		'nameLabel' => '', // label for the "name" property of the page (if something other than "Name")
@@ -1376,6 +1376,23 @@ class Template extends WireData implements Saveable, Exportable {
 		return $this->wire('templates')->getPageClass($this, $withNamespace);
 	}
 
+	/**
+	 * Check that all file asset paths are consistent with current pagefileSecure setting and access control
+	 * 
+	 * #pw-internal
+	 * 
+	 * @return int Returns quantity of renamed paths, or 0 if all is in order
+	 * @since 3.0.166
+	 * 
+	 */
+	public function checkPagefileSecure() {
+		PagefilesManager::numRenamedPaths(true);
+		foreach($this->wire()->pages->findMany("template=$this, include=all") as $p) {
+			PagefilesManager::_path($p);
+		}
+		return PagefilesManager::numRenamedPaths(true);
+	}
+
 	/**
 	 * Set the icon to use with this template
 	 *