When this event is attached to a page, it enables the page to force a download. The download can be triggered by adding the parameter file to the URL:

<a href="/download/?file=workspace/uploads/manual.pdf">Download manual</a>

To prevent that anyone can download any file from your website you have to set which folders are allowed for visitors to download files of. Otherwise evil people can download your config-settings for example simply by changing the URL in the browser bar to: /download/?file=manifest/config.php.

To do this, you need to add a list of trusted locations to the 'Force Download'-section on the preferences page.

You can also download the page itself, by adding the parameter download to the URL. The value of this parameter will be the name of the file. For example:

<a href="/sheet/?download=sheet.xml">Download sheet in XML-format</a>

The first directory listed in $allowedDirs will act as a default download directory if you do not wish to include a path in the ?file= parameter. For example, if the first entry in $allowedDirs is workspace/uploads then a GET request of ?file=my-example-file.pdf will download the file workspace/uploads/my-example-file.pdf

Requests for files that cannot be found on the filesystem, or are not included in the $allowedDirs will show Symphony's 404 page.