Laravel 5: files (.doc/.pdf) storage with security - laravel-5.3

I have been developing a job posting website using Laravel 5.3. One of my functions is to allow users (job seekers) to upload their resumes (.doc/.pdf) into the storage folder. But I don't know how make it more secure that only authenticated employers can download their resumes. Please advise how to name the files while uploading and how to store them with security.
Thank you.

Related

Manage multiple pubxml files

I just created and published IISDeploy profile and it created IISDeploy.pubxml and successfully published my site.
Now I have 2 pubxml files in my solution:
IISDeploy.pubxml (mine) and
TMR.pubxml (old),
but when it tries to launch my site after publish, it uses the url in SiteUrlToLaunchafterpublish from TMR.pubxml.
If I manually pick my url and type in browser, it changes the address (redirects) to the TMR url.
How can I manage multiple pubxml files and from where do I point to the correct file.
Note: I will need to keep both of them in my solution.
Update
By the help of a colleague, it turned out that azure b2c login was involved and I did not have permission on a new url that IT admin had setup! So the site was not directing me to azure b2c login - but to TMR instead..doesn't make much sense though.

Version maintenance in firebase hosting while using both firebase CLI and REST API for hosting

Our app hosted on firebase hosting is currently updated via firebase CLI. However, our app may get a feature where a user can create some custom static web files and upload a zip file containing those files to our site, after which these files are available as part of the site. (like a wiki/news article). For example: if a user uploads a zip file file which contains an index.html and some images that are linked to the html file, then the site will get updated with these materials and will show them at: oursite.com/username/somearticle/index.html
Through info gathered via this page , it appears that using the Hosting REST API would be able to get the job done. However I have a few questions about the functionality offered by this solution:
To start using the API, we firstly need an access token to authenticate and authorize API requests. Is there a way to get this token for a standard user who's logged in to our site using firebase authentication?
It says in this part of the article that you need the list of all currently existing files and new files in order to update the site. How do I access the list of files that are currently a part of the site?
On a similar note like the above question, we may need to update the app functionality from time to time and those updates are done via the CLI. How do I ensure that these functionality updates don't overwrite updates made by the user? In other words, is there a way to merge updates into the hosting site using CLI commands?
Firebase Authentication users don't have enough privileges to deploy to hosting. The users will need to be collaborators on the Firebase project, which means they'll need to have a Google account.
I recommend checking out my Gist that shows how to deploy a single files, which does something quite similar that what you're trying to accomplish. It gets the list of existing files (and their hashes) in this code fragment.
"When a user uploads a file" doesn't exactly sound alike "version control" to me ...
better use Cloud Source Repositories and add a Build Trigger, which deploys to Firebase Hosting.
Here it's explained: https://cloud.google.com/build/docs/deploying-builds/deploy-firebase
I mean, how else would you'd be able to keep a version history? And if you really want to upload something, just upload, unzip, also commit to git. HTML files are perfectly suitable for that.
The general idea is to have a continuous version history, which automatically deploys itself on change.

Properly secure IIS 7 read/write folder

I am running IIS 7 and ASP.NET 4. It's an online charting application where one folder needs to have read/write access. Users don't upload anything into this folder directly; instead they configure chart settings and then ASP.NET generates the chart on the server and saves it as an image into that read/write folder. Users are redirected to download the image of the chart from that folder.
In order to allow IIS/ASP.NET to save an image into the folder, I give WRITE permission to IIS AppPool/ChartApp account.
But, I am worried to have write access on a folder that's open to HTTP. While there is no direct way to upload a file via my site into that folder, I am concerned that hackers will find a way to upload a script and then execute it. Are these valid concerns? Is there anything else I need to do to secure such a read/write folder?
Thanks.
The configuration is sound and a normal standard setup. As you point out, there is no way to upload a file unless you add one.
If your particularly paranoid about this, you can setup a new user account and use that account as the 'anonymous user' account (which is the credentials used by the common browsing user on your site), and ensure that account doesn't have write acccess while the AppPool account does. The anonymous user uses the AppPool identity by default.
What are all the user accounts for IIS/ASP.NET and how do they differ? has details on each different account type.
What I ended up doing is to use a different account to write the file. The code from this article worked well for impersionation. The account that writes the file has write permissions, and the "main" AppPool account is still read only.

Folder permission ASP.NET site online

I'm uploading files into a folder. It works as it should when I run the solution locally, but when I've uploaded the site to the web server using "copy website", - I can no longer upload files to the folder.
Can I change the permissions somehow?
It depends is the user that is trying to upload the file(s) into that directory on the server have permissions to that folder on the server, eg: read/write, ect... Also is the user that will be using that program on the server is running the application as themselves or as the IIS User account, or some other dedicated account?
Update:
Since you are doing it through the VPN, try terminal serving to that server and if you have personally permissions to make this change as in give permissions then do it yourself or ask the admins to do it for you.
Depending on the folder you are uploading your files into and the account you have configured the web server to execute your application under, there might be different ways to achieve that. But basically you should rant write access to this account to the given folder you are saving the uploaded files into. But if you use some of the special ASP.NET folders such as App_Data for example to store the uploaded files, the account should already have write permission to that folder. And if you have uploaded your site to some hosting company that don't provide you the possibility to change permissions on the different folders that are part of your website you might need to contact the support so that they perform he necessary modifications that you need.

Asp.net login and file upload question

Hey I just got a question, I haven't used asp.net before but am using c#/managed c++ but I was wondering how hard would it be to do the following.
1) Make a login system where users can register.
2) each user can upload 1 file each to a server.
And those files can only be accessed by that specific user by longing in.
I think its pretty basic so it shouldn't be to hard. Im guessing im going to need a database as well where both the username/passwords/files will be stored?
If anyone has any tutorials on this I would really appreciate it.
That's quite a broad question and there are plenty of resources are out there on the web to help get started.
It's easy to set up a forms authentication system in ASP.Net 4 by just creating a new website as it automatically creates the login and registration pages for the website in a database using a "Membership Provider":
Website User Authentication
You could create an "UploadFile" table in the database that has a reference to the file path and userName. When a user is authenticated you can get their User name from User.Identity.Name property and then check if they can upload a file. You can use an ORM for easier database access and there are plenty to choose from such as Linq To SQL, Entity Framework, or NHibernate.
There are several tutorial videos on file uploads:
Simple File Upload
Of course there is much more to this but hopefully will give you some ideas on where to start learning.

Resources