I blocked a directory of my client web site due to segurity issues.
In these directory there are some pdf files, that users can read logging-into the application.
In this way when they click on the pdf to download, doesn't appear the URL of the file.
By the way an hacker could find it and read these files, so I blocked the directory.
Now I need to let my users read the pdfs.
How can I do in php?
I mean, only authenticated users can read these files.
Thanks a lot!!
Since PHP runs in Apache Server it 'acts' as the Server User (e.g. www-data) it will be able to access this directory, if the www-data user has the privileges to access it. Any other authorization checks have to be done in PHP by authentication and authorization workflows.
Related
I have some files (mp4/pdf/etc..) that I want to deploy to my webserver, but I want access to be restricted so only users who have been authenticated can access them.
The server is running centos 7 with nginx and I have a MYSQL database as well. I understand how to authenticate users using PHP but I don't know how to actually restrict the files from being accessed otherwise.
I expect to be able to provide authenticated users with some link to download the content, but any users who are not logged in will receive some error message.
Put the files outside the web server's document root so they can't be accessed directly by any user. Then create a download page in PHP that verifies your existing authentication, sets appropriate download headers, reads the file, and dumps the contents to the user.
My server wont allow users to write files in php, for as far as I looked this has to do with user permissions. But solving this causes a major security flaw. More information about these solutions can be found here php won't create file and here How do I give PHP write access to a directory?
So my question is instead of changing the servers permissions, is it possible to change the user's permission or permission group only after he logs into the application? In php terms after running the login() function.
I want this because I am developing an application that is an extension on the admin panel of askozia(a call center). Where each user can change and see its own data, without being able to change and see the admin settings and the data of other users. However all this data is not saved in a database but in an XML-file, so users need to be able to write to this XML-file.
You should not change the User (Which would be a bigger security hole). You want some rights for your current user.
For Windows:
http://technet.microsoft.com/en-us/library/bb727008.aspx
For Linux
http://www.computerhope.com/unix/uchmod.htm
Don't forget: The useraccount for your webserver is not the user in front of the website. You have to care about the "website viewers" permission. But your webserver account, should have all rights he need. If you would change the user, it would be the same.
The permissions that are given on the filesystem are from the user that is running the PHP instance. You cannot change the permission on runtime, but you can start a different application under a different user using sudo on *nix (and runas under Windows) to create, modify and read files.
You can check the 'web user' when it's trying to change a file to prevent malicious modifications when you want to use the standard PHP file operations (but this still requires the PHP instance to have write permissions on the file).
I need develop a web app like www.Sharefile.com. I want users to upload and then give permissions to that file for access by particular users only.
I don't know how to give permissions for server files (upload file like pdf,word) using PHP.
You ask a general question, so you get a general answer: I assume you already have some login set up for these users to upload their files. Using this same login system, you can control permissions on specific files. This is not necessarily done in php itself. For example, user and file permissions may be stored in a DB. The files themselves will probably have usual permissions.
I have a PHP web application (running on Apache/Linux) that, among other things, allows some browsing of local files on the web server. Since Apache is running as a special "www" user, PHP has access to everything that "www" can access, whichever user is logged into the application.
What is the best way to limit the access to files according to the Unix filesystem privileges for the logged-in user? Ideally, I could spawn off a new process with user ID being the logged in user, but I'm not sure if that's possible. Alternatively, is there a standard PHP library somewhere that will do the permission checking and access the files?
I don't get what you mean because the user that access the files is the PHP users, not a generic user that request your page (you are not connecting to your server with SSH)
You may want to implement an ACL on top of your application to manage this rights.
And of course Zend has the solution: http://framework.zend.com/manual/en/zend.acl.html
You may take a look over http://httpd.apache.org/docs/2.0/suexec.html it should do what you need, without the need to keep a separate lsit of users and permissions in your aplications.
As far as i know, this extension is implemented on some(if not all) shared hosting services to control how resources are divided between users.
This will lead to scripts not getting executed by www-data(but by the system user), and PHP not running as a module(by CGI/fastCGI mechanisms).
This can be accomplished via a three-step process:
Create a rewrite rule (via .htaccess or the Apache config file) to redirect all requests for your "local files" to a PHP script.
Check the authentication status of the user in the script.
Use the script to load and output the file if the user is authenticated.
I am creating a PHP script for my website that would allow my clients to login to their client account and view a list of files I've uploaded for them. Then they can download them without having to relogin or re enter a password.
I want to keep it secure so anyone cant come in and download the files if they know the clients name.
I've tried .htacccess, protecting the folders, etc.. but it doesnt seem to work. I've written the client login script thatl ets them login and view a list of files in their directory but I can't have them right click to download it without having them login.
Something similar can be seen here:
http://forums.cgsociety.org/showthread.php?f=76&t=808482
In the 2nd post, if you try to click delete.jpg it won't let you download it without logging in. I want this similar feature for my site.
The site is created in PHP, with a MySQL database.
The folder itself should have security permissions set that regular users do not have access to it, only whatever user runs the PHP process.
Your PHP scripts act as a passthrough for the actual file system. The users don't have permissions to see a list of files, but your scripts do. The users don't have permissions to access a file, but your scripts do so you can open them as binary files and write the data out to be sent to the user.
Do some research into PHP File Downloaders, this is fairly standard behaviour.
You could use cookies to signify that the user has been there before, and been authenticated. Make the value of the cookie be fairly random, so it can't be guessed. I would encrypt the username . timestamp and store that with the username, so username_token and that way you can time people out and force them to login, if you want, later.
Then, move the files out of the webapp directory, and have a cgi program that will show the files in the directory, and allow them to download them.
This way you can control what people see, and what actions are allowed.