I have XML files in a publicly accessible directory. I want to restrict them to accessible only to logged in users. So when I go to http://example.com/web/file.xml only AUTHENTICATED members can access the file. I'm using PHP & Symfony2.
Files in web are all public so don't put it into that folder.
You can create a folder into Ressources and put your xml into it.
Then create an action witch read and display your file. In this way you will be able to secure your action.
For exemple you can access as http://monsite.com/xml/get
How to secure : http://symfony.com/doc/current/cookbook/security/securing_services.html
I solve the problem with this
$filename = $this->get('kernel')->locateResource("#SomeBundle/Resources/folder/file.xml");
(Accessing Files Relative to Bundle in Symfony2)
Related
My website includes forms and php code which create pdf files for logged in users. How can I make sure only the appropriate user, the one which generated the files, can access his own files ? Also, the admin user should be able to access these files too.
At the moment, my code creates files in the wp-content/uploads folder, but then any user can access the files generated by the other users, if he can guess the file name... I am OK to create the file in any other folder if required.
I am familiar with command chown and chmod, but I am not sure how to use it in this context. The private folder of each user could be created by my php code.
Thanks for your help,
Ilann
what I did so far: a lot of google searches around "wordpress private folder", "wordpress user-specific folders"...
I have a Symfony2 project with user management (FOsUserbundle & Sonata bundles). In some case of my application, i need to create files for users, and i want to store them. The files might be big so i exclude storing them in sessions/local storage.
First question :
Is there a symfony2 pattern to handle user generated files and storage ?
Where does these files should be placed ? Which directory ?
Second question :
I have a big file that my app need to use. Users shouldn't have access to this file but mainly my app controllers have to. What is the best secured way to store this file and restrain access ?
First Question:
depending on the number of files each user has, I would use some kind of naming convention. e.g. temp/[username]/file1.dat or temp/[username].dat
You can implement this strategy by following the symfony2 cookbock for file uploads on entities and check the function:
public function preUpload()
{
if (null !== $this->file) {
// do whatever you want to generate a unique name
$this->path = uniqid().'.'.$this->file->guessExtension();
}
}
Here is the filename generated, and you can easily set the username instead of some random "uniqueid()".
Second Question
Securing files is in my opinion best implemented via a folder that is not accesible through the web.
For example if you have the following structure:
myproject
app
src
vendor
web <-- your domain points to this folder
save_files
then you can store your files in the save_folder that it is not accesible via direct web access. In your application / controller you can access it via the filesystem or use some abstraction like the KnpGaufretteBundle
I have video files (mp4's as I want people to be able to view them on ipads etc.) that I serve to users. However some of these videos are only available to users who have a certain number of user points. I have that working in that if a user doesn't have enough user points they can't view the node. All users have the same role (video viewer) and the problem is that it is possible for someone who has enough user points to view the node, grab the url of the video and then give it to someone who has the video viewer role but doesn't have enough user points and then that person can directly download that mp4.
Just looking for a way to limit access to the mp4 file if a user does not have access to the node or hide the path to the file somehow. I have the mp4's stored in a private file system but this hasn't solved the problem as the users have the same role.
I've got this (http://www.ioncube.com/html_encoder.php) working on static pages in my webspace (non drupal pages) but can't get it working in my drupal setup. When I include the php code in my node to include the php file it just gives me a blank page.
Many thanks
There's not much I could say about this that the Drupal documentation doesn't already.
http://drupal.org/documentation/modules/file#access
Managing file locations and access
When you create a file field, you can specify the sub-directory of the site's file system where uploaded files for this content type will be stored. The site's file system paths are defined on the File system page (Administer > Configuration > Media: File system).
You can also specify whether files are stored in a public directory or in a private file storage area. Files in the public directory can be accessed directly through the web server; when public files are listed, direct links to the files are used and anyone who knows a file's URL can download the file. Files in the private directory are not accessible directly through the web server; when private files are listed, the links are Drupal path requests. This adds to server load and download time, since Drupal must resolve the path for each file download request, but allows for access restrictions.
The best practice for public files is to store them in the multi-site directory like: sites/default/files
The default way to securely add a private directory for your files is to use a directory that can not be accessed directly by your web server, but can be accessed by Drupal. Ideally this directory should be located outside of your Drupal root folder.
The simple way to add a private directory for your files is to create a sub-directory under the public directory like: sites/default/files/private
When you specify the private directory in admin/config/media/file-system it will automatically create the sub-directory & create a simple .htaccess file with Deny from all. This stops Apache from serving files from this directory. Make sure that you test this by adding file to that directory and verifying that you can't browse there directly. If this isn't working, all files in this directory will be accessible to anyone who can guess the URL! Note that non-Apache web servers may need additional configuration to secure private file directories.
Accessing Private Files
Once configured, files stored in the private directory are inaccessible via a direct link; however, if Drupal constructs a link to the file, the file will be accessible to anyone who can see the link.
For example: you have created a new content type with a file field which stores files in your site's private file directory. Next you create a node from this new content type and attach two new files. When the node is published links to both attached files are visible and anyone who can view the node may download the files. Now, if you unpublish the node, all attached files become inaccessible for download even if you use the direct link to the files that worked when the node was published.
Re-publish the node, and disable the "display" checkbox for one of the files. Save the node. Now one file is accessible for public download and the other is not accessible--even if you have the direct URL for the file that is not listed you will not be able to download this file.
For finer grained control of who can see/download attached files you will need an additional access control module. You may write a module yourself, or use a contributed module such as Content Access.
I have a folder which users can upload their docs inside that.its call upload folder.it is located underneath app_data in solution explorer.I want the users to see just their own uploaded docs not others and restrict any direct access to other articles.
I also have an admin user which i want to be able to access all the docs uploaded and be able to download the file.
how could i :
1.restrict users
2.write code to download uploaded file
thanks in advance.
Well, what is the problem? Close this folder to access it using direct links (if you are using App_Data it's already done) and create httphandler that returns file data. In httphandler change look have the user have access to request file
I need very advanced and effective method of Preventing Users from Downloading file from website directly in asp.net.
Method should -
limit downloads,
limit time,
limit requests,
etc.
but should be downloadable by active login users
Delete the file from the server.
Any user trying to download it will not longer succeed.
You can put your files into a directory and configure that directory as not accessible by public users.
Store the files in a folder which is not accessible via IIS (i.e., not underneath your web application's root)
Create an .ashx generic handler which takes a file identifier (either filename, or ID of some sort) as a QueryString parameter.
In that .ashx, perform whatever checks you want to perform: is the user logged in? have they downloaded too many files? etc.
Then, if you decide that they should be allowed to download it, set the response headers appropriately and write the file out to Response.OutputStream