I need develop a web app like www.Sharefile.com. I want users to upload and then give permissions to that file for access by particular users only.
I don't know how to give permissions for server files (upload file like pdf,word) using PHP.
You ask a general question, so you get a general answer: I assume you already have some login set up for these users to upload their files. Using this same login system, you can control permissions on specific files. This is not necessarily done in php itself. For example, user and file permissions may be stored in a DB. The files themselves will probably have usual permissions.
Related
I am creating website which is similar to dropbox. My logic behind the project is that I am going to create 1 table which includes username and pass and unique id.
Then I will create folder with name as that of the unique code and I will store that particular person file like video, mp3, txt in that particular folder. Now my question is how to restrict other users from entering into that folder(because I can access that folder by directly entering the url)?
Also suggest me if any other logic is more efficient.I am working on mini project.
I believe that Google Drive (and Dropbox probebly too), use https behind the scenes. In that case you simply need to make sure that your php/asp files make sure only the logged on user can access his/her files. It all depends on how your creating your cloud platform. You could also use scp, ssh, in that case your server automatically directs the client command to his/her own files.
You would need to create a controller that handles access to files. Do not direct link to the files, for example if you pass your arguments as /myFolder/myImg.jpg, then the controller would take the logedin user unique_id and the path as arguments, and then it would create a path it self.
2323-2332-a51df/myFolder/myImg.jpg
The idea is that the uniqueID will serve as base path, and your controller will handle all file access. This way you dont have to chmod 777 anything. Your controller will have access only to the folders you require and all will remain within your php settings. No need to worry about somebody trying to access any system folders.
Next to that you would just need to load the file contents and return it with the appropiate mime type.
My server wont allow users to write files in php, for as far as I looked this has to do with user permissions. But solving this causes a major security flaw. More information about these solutions can be found here php won't create file and here How do I give PHP write access to a directory?
So my question is instead of changing the servers permissions, is it possible to change the user's permission or permission group only after he logs into the application? In php terms after running the login() function.
I want this because I am developing an application that is an extension on the admin panel of askozia(a call center). Where each user can change and see its own data, without being able to change and see the admin settings and the data of other users. However all this data is not saved in a database but in an XML-file, so users need to be able to write to this XML-file.
You should not change the User (Which would be a bigger security hole). You want some rights for your current user.
For Windows:
http://technet.microsoft.com/en-us/library/bb727008.aspx
For Linux
http://www.computerhope.com/unix/uchmod.htm
Don't forget: The useraccount for your webserver is not the user in front of the website. You have to care about the "website viewers" permission. But your webserver account, should have all rights he need. If you would change the user, it would be the same.
The permissions that are given on the filesystem are from the user that is running the PHP instance. You cannot change the permission on runtime, but you can start a different application under a different user using sudo on *nix (and runas under Windows) to create, modify and read files.
You can check the 'web user' when it's trying to change a file to prevent malicious modifications when you want to use the standard PHP file operations (but this still requires the PHP instance to have write permissions on the file).
I have following requirement.
Admin can upload any files like jpg,pdf,PPT,DOC file on server.
End User or viewer only access the files in display/view mode. User shouldn't to be allowed to copy/paste/download/print/modify files.
Please suggest me some way in doing this in PHP or any kind of Editor which gives me such kind of services so that I can embed my application to it.
-Pravin
If the user can VIEW the file then how can you make the difference between VIEW and DOWNLOAD ?
Answer: you can't.
To view a file, the browser should download it and store into it's local cache. You do not have any way to prevent this.
What you can do is to restrict the access to the directory (or the resources) with a htacess security asking username/password.
I'm working in php and want to make directories for each user where I would store their uploaded images. Only the user can access his/her directory and respective images.
I couldn't find much documentation on how to do this, namely creating directories, best place to put them in my server, how to link them to a user, and setting them to private. Please share your guidance on where to start. What is the standard practice?
You should consider to put Files with restricted access outside the public webroot folder and serve them via PHP, which will enable you to check the users credentials before.
(see Fastest Way to Serve a File Using PHP)
That way you might not need one directory per user.
I am creating a PHP script for my website that would allow my clients to login to their client account and view a list of files I've uploaded for them. Then they can download them without having to relogin or re enter a password.
I want to keep it secure so anyone cant come in and download the files if they know the clients name.
I've tried .htacccess, protecting the folders, etc.. but it doesnt seem to work. I've written the client login script thatl ets them login and view a list of files in their directory but I can't have them right click to download it without having them login.
Something similar can be seen here:
http://forums.cgsociety.org/showthread.php?f=76&t=808482
In the 2nd post, if you try to click delete.jpg it won't let you download it without logging in. I want this similar feature for my site.
The site is created in PHP, with a MySQL database.
The folder itself should have security permissions set that regular users do not have access to it, only whatever user runs the PHP process.
Your PHP scripts act as a passthrough for the actual file system. The users don't have permissions to see a list of files, but your scripts do. The users don't have permissions to access a file, but your scripts do so you can open them as binary files and write the data out to be sent to the user.
Do some research into PHP File Downloaders, this is fairly standard behaviour.
You could use cookies to signify that the user has been there before, and been authenticated. Make the value of the cookie be fairly random, so it can't be guessed. I would encrypt the username . timestamp and store that with the username, so username_token and that way you can time people out and force them to login, if you want, later.
Then, move the files out of the webapp directory, and have a cgi program that will show the files in the directory, and allow them to download them.
This way you can control what people see, and what actions are allowed.