I have a Symfony project with an uploads folder. Within that folder I have sub-folders that I would like to restrict access to some of. eg.
- small (allow)
- medium (allow)
- large (dis-allow)
- original (dis-allow)
How can I restrict access to the 2 folders above and then intercept the call to a controller so I can check credentials before serving the file?
Symfony use user www-data (like Apache) to access files on your server. You can disable access for this user.
If you want to control access for all of your users in Symfony app, you must create users in your OS and then give them permissions.
Related
I created a video player project in laravel. the video will play from only authenticated users. using the inspect element if anyone gets a video link that is will not download from anyone.
video store location in storage/app/
The storage should not be available for clients accessing your server's files. They should only have access to the public folder. What I normally do is creating a route for accessing files in my storage folder. In this route you can check if you want to give access to the file.
Have also a look at https://laravel.com/docs/5.8/filesystem#downloading-files
I am creating website which is similar to dropbox. My logic behind the project is that I am going to create 1 table which includes username and pass and unique id.
Then I will create folder with name as that of the unique code and I will store that particular person file like video, mp3, txt in that particular folder. Now my question is how to restrict other users from entering into that folder(because I can access that folder by directly entering the url)?
Also suggest me if any other logic is more efficient.I am working on mini project.
I believe that Google Drive (and Dropbox probebly too), use https behind the scenes. In that case you simply need to make sure that your php/asp files make sure only the logged on user can access his/her files. It all depends on how your creating your cloud platform. You could also use scp, ssh, in that case your server automatically directs the client command to his/her own files.
You would need to create a controller that handles access to files. Do not direct link to the files, for example if you pass your arguments as /myFolder/myImg.jpg, then the controller would take the logedin user unique_id and the path as arguments, and then it would create a path it self.
2323-2332-a51df/myFolder/myImg.jpg
The idea is that the uniqueID will serve as base path, and your controller will handle all file access. This way you dont have to chmod 777 anything. Your controller will have access only to the folders you require and all will remain within your php settings. No need to worry about somebody trying to access any system folders.
Next to that you would just need to load the file contents and return it with the appropiate mime type.
In my Symfony2.3 project, i have a frontend website and a backend. The backend is secure by security.yml file and only role_admin user can acces backend.
Want i want now is only admin users can download pdf files stores in assets.
Is there a way to do this ?
now, all visitors can access my pdfs files by url link.
Do i have to move this pdf to another folder? or use an htaccess maybe?
You need to store these files in a location that is not directly accessible through your webserver. (i.e. not in the web folder or one of it's subfolders)
Then create a controller/action that checks for the permission to download (i.e. a certain user-role) before serving the file.
Read the documentation chapter Serving Files for a quick overview of how you can serve files in symfony2.
Add a role, something like ROLE_ACCESS_PRIVATE ASSETS and assign it to the admin user. Do the check for that permission in the code like any other.
Edit: This is assuming, of course, that a controller stands in the way of these files.
I have an ACL controlled application that uses the Media plugin to upload files to /app/webroot/media. When a file is uploaded, the dirname, basename and file name are written to the database.
I'm looking for a way to restrict access to /app/webroot/media, allowing users to only view the files associated with their user id after they have signed in. Currently, users can access other user's files which is not at all ideal. Is there a best practice for this as far as CakePHP is concerned?
Any file under webroot will be publicly accessible if the user knows the url. Store your files in a folder outside webroot and then render them through a controller action using CakeResponse::file(). This way you can controller access to the action as required.
I have a PHP web application (running on Apache/Linux) that, among other things, allows some browsing of local files on the web server. Since Apache is running as a special "www" user, PHP has access to everything that "www" can access, whichever user is logged into the application.
What is the best way to limit the access to files according to the Unix filesystem privileges for the logged-in user? Ideally, I could spawn off a new process with user ID being the logged in user, but I'm not sure if that's possible. Alternatively, is there a standard PHP library somewhere that will do the permission checking and access the files?
I don't get what you mean because the user that access the files is the PHP users, not a generic user that request your page (you are not connecting to your server with SSH)
You may want to implement an ACL on top of your application to manage this rights.
And of course Zend has the solution: http://framework.zend.com/manual/en/zend.acl.html
You may take a look over http://httpd.apache.org/docs/2.0/suexec.html it should do what you need, without the need to keep a separate lsit of users and permissions in your aplications.
As far as i know, this extension is implemented on some(if not all) shared hosting services to control how resources are divided between users.
This will lead to scripts not getting executed by www-data(but by the system user), and PHP not running as a module(by CGI/fastCGI mechanisms).
This can be accomplished via a three-step process:
Create a rewrite rule (via .htaccess or the Apache config file) to redirect all requests for your "local files" to a PHP script.
Check the authentication status of the user in the script.
Use the script to load and output the file if the user is authenticated.