CakePHP access restricted files after authentication - php

I have an ACL controlled application that uses the Media plugin to upload files to /app/webroot/media. When a file is uploaded, the dirname, basename and file name are written to the database.
I'm looking for a way to restrict access to /app/webroot/media, allowing users to only view the files associated with their user id after they have signed in. Currently, users can access other user's files which is not at all ideal. Is there a best practice for this as far as CakePHP is concerned?

Any file under webroot will be publicly accessible if the user knows the url. Store your files in a folder outside webroot and then render them through a controller action using CakeResponse::file(). This way you can controller access to the action as required.

Related

how to assign permission to storage directory in my laravel application

I created a video player project in laravel. the video will play from only authenticated users. using the inspect element if anyone gets a video link that is will not download from anyone.
video store location in storage/app/
The storage should not be available for clients accessing your server's files. They should only have access to the public folder. What I normally do is creating a route for accessing files in my storage folder. In this route you can check if you want to give access to the file.
Have also a look at https://laravel.com/docs/5.8/filesystem#downloading-files

Laravel: Prevent direct access of files from public folder

I am stuck on this part of my laravel application, Where I am asked to protect the files from directly accessed via url browser hit.
I have a public folder in which in a doc folder is present where all the documents are going to be uploaded. I just need a solution to prevent this where i can access docs directly from my application but any third party visitor can not view my docs (images,pdfs etc..).
I have tried many solutions but its not at all working.
I just want to things :-
1. Protect my docs through direct access.
2. Way of implementing it in laravel (via .htaccess)
I know this can be possible through htaccess, but how?
Kindly help Please :)
Add in your upload folder .htaccess file with content:
Deny from all
There are three approaches I can think of just now;
You intercept all image and video requests with Laravel, then using the router, serve up the content that the user was after, provided they are authorised. THIS WILL BE SLOW!.
You rely on obscurity and put all that clients images, videos etc in a folder that has a long-unguessable random url. You can then link to the content in your code using the 'static' folder name. The customer's content will always be in that folder and accessible if they log in or not. The advantage of this compared to 1 is that your framework does not have to boot for every image or video.
Have all the content hidden away - possibly in the storage folder. When the user logs in, create a temporary symbolic link between their public folder and their folder in storage. Keep a note of the link in the session. Use the link in all gallery etc rather than the static code used in (2) above. Once they log out the code will no longer be valid, and you can delete the symbolic link on logout or have a job to tidy it up periodically.

logic behind websites like dropbox,google drive

I am creating website which is similar to dropbox. My logic behind the project is that I am going to create 1 table which includes username and pass and unique id.
Then I will create folder with name as that of the unique code and I will store that particular person file like video, mp3, txt in that particular folder. Now my question is how to restrict other users from entering into that folder(because I can access that folder by directly entering the url)?
Also suggest me if any other logic is more efficient.I am working on mini project.
I believe that Google Drive (and Dropbox probebly too), use https behind the scenes. In that case you simply need to make sure that your php/asp files make sure only the logged on user can access his/her files. It all depends on how your creating your cloud platform. You could also use scp, ssh, in that case your server automatically directs the client command to his/her own files.
You would need to create a controller that handles access to files. Do not direct link to the files, for example if you pass your arguments as /myFolder/myImg.jpg, then the controller would take the logedin user unique_id and the path as arguments, and then it would create a path it self.
2323-2332-a51df/myFolder/myImg.jpg
The idea is that the uniqueID will serve as base path, and your controller will handle all file access. This way you dont have to chmod 777 anything. Your controller will have access only to the folders you require and all will remain within your php settings. No need to worry about somebody trying to access any system folders.
Next to that you would just need to load the file contents and return it with the appropiate mime type.

symfony2 access private files as admin user

In my Symfony2.3 project, i have a frontend website and a backend. The backend is secure by security.yml file and only role_admin user can acces backend.
Want i want now is only admin users can download pdf files stores in assets.
Is there a way to do this ?
now, all visitors can access my pdfs files by url link.
Do i have to move this pdf to another folder? or use an htaccess maybe?
You need to store these files in a location that is not directly accessible through your webserver. (i.e. not in the web folder or one of it's subfolders)
Then create a controller/action that checks for the permission to download (i.e. a certain user-role) before serving the file.
Read the documentation chapter Serving Files for a quick overview of how you can serve files in symfony2.
Add a role, something like ROLE_ACCESS_PRIVATE ASSETS and assign it to the admin user. Do the check for that permission in the code like any other.
Edit: This is assuming, of course, that a controller stands in the way of these files.

PHP creating personal directories for each user

I'm working in php and want to make directories for each user where I would store their uploaded images. Only the user can access his/her directory and respective images.
I couldn't find much documentation on how to do this, namely creating directories, best place to put them in my server, how to link them to a user, and setting them to private. Please share your guidance on where to start. What is the standard practice?
You should consider to put Files with restricted access outside the public webroot folder and serve them via PHP, which will enable you to check the users credentials before.
(see Fastest Way to Serve a File Using PHP)
That way you might not need one directory per user.

Categories