I use Server-to-server interaction feature of Google Drive using API to maintain files that are uploaded by a group of users and seen by others. Before I note down my problem let me first explain the structure of my app (in php).
I have multiple user groups. Let me explain them in brief:
User group 1 - Super Admin has the ability to upload/view/modify/download/delete a file in any folder.
User group 2 - Sub Admin has the ability to upload/view/modify/delete all files but only in a single folder.
User group 3 - Creator of content, they have the ability to upload/view files uploaded by them. Each creator has his own folder. (and has functionality to mark files to be downloaded)
User group 4 - Reader of content, they have the ability to view files uploaded by reader. (They will be able to download only certain files that the creator has marked for downloading, otherwise not.)
My App is live and functioning till now. And I need to add these functionalities but I couldn't find any specific documentation for these requirements.
How do I restrict files to open only through my website and not otherwise? No public links.
Disable download and other buttons on all files except for some (depending on the user type(id and role)).
Please provide me appropriate links or documentation regarding the same.
Related
i'm trying to make vacancies plugin for my website (corporate website where users can submit their job offer application).
What i am trying to achieve:
User goes to specified page
User uploads file with regard to the provided guidelines
Script saves file in the specified folder and gets name of the file as the name of the applicant
Script adds information to database (id, applicant_name, file_path, created_on, updated_on)
Admin can view application in the backend
I've managed to achieve first 4 goals, however i have no idea on how to allow administrator to get the link to the file from the backend.
I'm using models to store information in the database. On the backend i can see when the file is uploaded and what is the name of the applicant. However, what im trying to do is when administrator clicks on the item in the list (model default update page), he should be prompted with the link to download file.
Here are few screenshots:
Form to send the CV
Backend View
Here administrator should be able to get the link to download file (maybe, later i will do integration with Office Online Document Viewer)
Database view after file has been submitted
Anyone have an idea on how to provide such functionality to the administrator?
Maybe, to simplify question even more, i will put it this way:
How can i get Model object in the update.htm in the controller file, so i can access all of the fields of the model from this file. Right now it uses
$this->renderForm();
My aim is to make a multi-user website which may have between 30 to 3000 users. once one uploads an avatar or an image, How should it handle directory naming?
1- all files in one folder?
2- all files in folders separated by day?
/img/upload/2013/05/14/brothers32_5464562.jpg
3- all files in folders separated by user name?
/img/upload/users/brothers32/5464562.jpg
I don't like change my way in mid-way.so, according to your experience which way do you suggest to choose?
I agreed with StarCub until I read each user could upload multiple images. Then I'd do this:
Profile picture. All in 1 folder (as StarCub suggested):
/img/upload/users/USERID.jpg
Uploaded pictures. All in another folder:
/img/upload/userimg/2013/PICID.jpg
EXCEPT if you expect users to upload many pictures. I'd say 1000-5000 pictures per folder is good, so maybe order them by month depending on what kind of site the page is.
If you only have to up 3000 users and each user only has one avatar, I would just put them all in one folder (OPTION 1) and name them use user ID or some sort of unique identifier for that user.
If each user can upload multiple images, then I would use OPTION 3.
I've found several answers to this question, but each case was different from mine. Before I spend hours implementing what I think will work, I'd like to get an opinion or two. Who knows, there may be an easier solution that will benefit someone else too!
I'm in the process of creating a website which provides a photo modification service. Each of my customers will be uploading their photos using a modified version of a jQuery/PHP upload script I found on Github (BlueImp's File Upload script- props BlueImp!) When each image is done uploading, a thumbnail of the image is displayed next to the image's filename.
The upload page creates a folder based on their Order #, and a thumbnail subfolder where the images are stored. For example, for Order # 12345:
/uploads/12345 <- Folder where the uploaded images will go
/uploads/12345/thumbs <- Folder where thumbnails will be served from
It's important that clients don't access other clients' photos. I moved the uploads folder outside of my website root, but then the thumbnails weren't displaying when the images finished uploading because, well, they weren't in the website root so the links weren't working.
Here's a solution I thought of:
Separate the folders. Move the main upload folder outside of the document root, but leave the thumbnail folder inside the doc root, so the thumbnails can be served up when each upload completes. When the user has finished uploading their images, delete the thumbnail folder corresponding to that Order #.
Is there a better way to do it? My concern is preventing access to photos (A client will only have to upload them once, then wait for us to finish the modifications. They will NOT have to log back in to download them.) I don't want someone to be able to access the upload folder via the address bar or anywhere else. Can I use an .htaccess file to restrict access, but still allow for linking to the thumbnail images via the upload script?
I apologize for the wordy question. I tried to be as succinct as my limited knowledge of programming would allow. Thank you in advance for your time and effort in helping with this.
two way around
Write a blank index.html on each directory, which will prohibit to access files.
Write below in .htaccess ( if not exist then create this file )
Options -Indexes
OR If you want NO ENTRY outside of the LAN
# no nasty crackers in here!
order deny,allow
deny from all
allow from 192.168.0.0/24
# this would do the same thing..
#allow from 192.168.0.0 to 192.168.0.24
Reference
One more
You want to show the thumbs to each owner customers but not to others?
knowing the Order number (is sequenziell) you can easily try some links and see some photos.
I suggest to use a .htaccess to password the upload folder and to generate a hash number for every thumb that you have to attribute to the order number.
A second solution: password with a .htaccess the upload folder and generate a thumb when you generate the order confirmation page without saving the thumb. (he has to see it only once as you mention).
have fun!
Two things that you should do are:
Disable directory indexing.
Always keep the file names random. Map them using the database. i.e file1.jpg->file_af324234324324ff . You can also store the thumbnail file information in the same table.
I am looking for some open source or commercial script which can allow me to have a gallery component in my website. This component will allow users to publish photos
(add title, album name, small description) and also let them provide their video urls from youtube. For youtube videos also they will provide the title, album name and small description.
Another nice to have feature would be to let users vote on these photos and videos.
Does anyone know of any script that can be easily integrated in symfony php framework?
Rgds,
Sapan
There is nothing written that meets your exact requirements - but there this could be a starting point - or at least give you some ideas of how to store / manage assets -> http://www.symfony-project.org/plugins/sfAssetsLibraryPlugin
I'm trying to make my own framework for my own projects and I would want people to upload themes for their profiles to the database. Letting them theme the look and feel of their accounts.
I first thought of having the files on the server.
A user would log in and the PHP would pick up their user id and other misc details and route the urls to their particular folder and serve the files in that folder.
an example would be a real directory of
http://www.foo.bar/users/me/style.css
http://www.foo.bar/users/me/script.js
http://www.foo.bar/users/me/index.tpl
http://www.foo.bar/users/me/otherPage.tpl
then I was thinking wow, imagine if I have 100's of users? then I would have 100's of folders in my users directory on my server, not to mention duplicate files all over the place taking up space. So ok, while this may be the fasted way to fetch a file maybe loading the markup from the database won't be such a bad idea right?
My server looks cleaner but now my database will get queried a lot more than I would want.
Then comes the major issue i think, is having files that are particular to a user. For example stylesheets may have background url's with images, so now these images needed to be linked to their real path on the server. Which brings me back to having a dedicated folder for each user to house their theme specific files.
How can i securely and effectively find a way to let users upload themes and have all files images, pdf's, docs, etc. all saved without them potentially being accessed by another account holder or thru simple hacking techniques to pull a file from the server that belongs to another user.
One solution I thought of was to only let users who are logged in view files, append to the file a unique tag that will let the user view the file if the tag matches a session variable. But then what if a user wants to share that file with another person, then tagging the file would bring my back to square 1 with the security thing not letting view the file because they wouldn't be an authorized user.
Well in any case, what would be best practices to get some of my concerns on the right path to being delt with.
P.S.
I choose these tags because in my solutions I think they will touch upon some of these aspects.
You can store html or css in a table row but be sure to sanitize the data to avoid hacks, or injections. The easiest way would be to let the user paste the code into a text area or field. If you want to let them upload files, you will need to write a script that parses the data from the uploaded file. This is more complicated as you will have to manage all filtering and sanitizing along with making pulling the data from the file and saving it to the database.
We skin our CMS to work with multiple clients and their own users. But rather than giving them the possibility of changing ANY area or style of the page we allow certain areas such as:
upload your logo
set the colour of the banner bar behind your logo (using a smart colour picker and some 'figure out the contrast between the colours' functions)
set your text colour (using a colour picker)
and so on for the items you want them to change.
We then store those in the database and serve them up through dynamic stylesheets (I know these don't cache but it's better than having hundreds of files).
I know that MySpace used to let you upload a whole host of HTML and CSS (not sure if they still do) but it's a security nightmare as the potential for XSS is enourmous.
You may want to look at HTML Purifier if you're going to let them add their own custom HTML and full themes -> http://www.htmlpurifier.org