Protect image directory - symfony

I`m looking for some solution which will make my directory with pictures secured.
In my page only Administrator have permission to upload the pictures. User have opportunity only to view a picture for products. I want to make directory more secured. I want to make it difficult to download all pictures from some kind of scripts.
For now I tried with .htpaccess and .htpasswd it work fine but when User trying to see the product page(where are available pictures form secured folder) htpaccess is requiring a username and password.
Is it possible to enter username and password to this directory from server side when user is watching the product page. And in case that he open a link of the picture in new window then user name and password is required?
Do you know some other solutions?
Cheers

Don't store the images in your web folder where everyone can access them. Instead, store them outside of the web path (for example in app/data or so) and use a symfony controller to deliver them. This way you can use the symfony security component.

In addition to good answer by #Pierre, you can use a filesystem abstraction layer. I'd recommend using Gaufrette. To integrate it with Symfony, you could use KnpGaufretteBundle.
It will give you way more flexibility as
using external filesystems (ex. Amazon S3, FTP, sFTP)
use Symfony Security component or ACL.
Everything depends on your need and your approach in the project. However, if you need some flexibility, I'd recommend try it out.

Related

Is there a possibility to encrypt media files uploaded in Moodle?

I've run into a problem using Moodle 3.2. I'm uploading mp3-files to be played in a quiz. I have the license to use those files for that specific purpose, but I am not the owner. Thus, I would like to ensure that nobody without a Moodle account can access these files.
However, the path to the files can be extracted from the source code and once you have the path, anybody can access the file. Is there any way to protect the file so only registered users can access it, even if they have the direct path?
Thank you so much!
All the best
Dom
EDIT: I've learned that files actually are encrypted by login - I just had the login cookie remaining in several browsers and thus was able to access them.
Are the files served by moodleinstallation/pluginfile.php/? This would include login/permission checks

In Alfresco, creating folders under a site or under the document library of a site?

I am new to Alfresco. Using version 5.0.d.
I am developing CMIS based application code to index and access documents into Alfresco repository.
All these documents that our application would be storing is mainly by/for our application.
So probably a limited set of users of our clients might want to manage them through Share UI.
When I go into Alfresco Share interface, I see the concept of sites.
I decided to create a site for our application.
Then inside the site, I am able to create folders
Underneath the site, I also see a document library location, inside which as well I can create folders
I am having a hard time choosing or deciding on an approach.
In order to access the 'Sample' folder that is created directly under the 'testSite' site, CMIS (Java) code looks like this:
Folder folder = (Folder) cmisSession.getObjectByPath("/Sites/testSite/Sample");
In order to access the 'TestFolder' folder that is created under the document library of the site:'testSite', CMIS (Java) code looks like this:
Folder folder = (Folder) cmisSession.getObjectByPath("/Sites/testSite/documentLibrary/TestFolder");
Code does not look any different other than the path...
Can you tell me, why would anyone would prefer to organize their folders, one way or the other?
I also do not know if this is the best way, or if there is any other way, in CMIS API to access the folders underneath a site...
You do not necessarily need to use sites to store your contents.
Sites are designed as collaboration spaces. When you use a site you get "for free":
Simplified (but sometimes not flexible enough) role based access permissions. The idea is that a site manager decides, at the site level, the role of each user. Permissions can be applied to roles instead of groups or users. This helps to simplify the administration of permissions, but sometimes is not flexible enough. Using the API or accessing the folders of the sites in the "repository view" (see for example http://docs.alfresco.com/4.2/concepts/share-repodoclib.html), you can set more granular permissions, but doing it somehow breaks the "simplified" role based permissions.
Collaboration pages: document library, blog, calendar, data lists, etc...
A site dashboard that can have a different configuration for each site and site specific dashlets
Site visibility: public, moderate, private; and the function to invite users and manage users at site level
Probably other functionality that do not come to my mind right now
As I mentioned, the "document library" is one of the pages in a site. It is designed to collaborate on contents. If you are using sites, use the document library for contents on which users will collaborate. These contents are stored in the path:
/Sites/site-name/documentLibrary/
You can definitely create contents directly in /Sites/site-name/ but it won't be visible in the "document library" page of the site. This is what Alfresco does to store other type of contents associated with a site such as: data lists, calendar events, discussions, etc...
If your repository is accessed only with a custom application by CMIS, I am not sure that you will get any benefit using sites.
I wouldn't use it if you would end up with a single site.
I would suggest to use it, if you think that it can be useful to "invite" users to sites and assign permissions based on roles.

Getting user home folder through alfresco rest api

Using Alfresco web scripts I can login and get ticket but I can't find any script to get user home folder. I can get folders inside another folder using below script: GET /alfresco/service/slingshot/doclib/doclist/{type}/node/{store_type}/{store_id}/{id} But after login I don't know the user home id. Does anybody know how to do it?
The userhome onces authenticated is considered to be a root object if you are dealing with classic webscripts.
https://wiki.alfresco.com/wiki/5.0_JavaScript_API#Root_Scope_Objects
You can access it via
var name = userhome.properties.name
Or you can use any of the other properties you may need via the Scripting Node API.
If you are looking for a webscript itself that just returns back the userhome you may need to create your own webscript to access just their User Home information. This can be done quickly and I recommend following this tutorial to learn how to quickly create one that fits what you are looking to do
http://ecmarchitect.com/alfresco-developer-series-tutorials/webscripts/tutorial/tutorial.html

In which folder can I store user uploaded images

I've a classified ads system on ASP.NET/c#/MS SQL, and I'm trying to figure out where to store the images that people upload when placing an ad. The ad itself is being stored in a SQL server database.
The images are now being stored in a subfolder of my webapp. It seems to work fine, however I only recently discovered a big problem. Everytime a user deletes an ad, the attached images are to be deleted as well including the folder they reside in. This leads to a restart of the asp.net application. I searched internet and found that restarting the web-app is actually intended behaviour when a subfolder is being deleted.
Obviously, I need to fix this. But how to do that? Where can I store images in such a way that:
I can remove these images including the folders they are stored in?
I can acces them using a URL (the images need to be shown in the
webpages)
Without getting the web-app being
restarted?
Any feedback is appreciated!
Paul
See this question Deleting a directory results in application restart
An other alternative would be to store the images in the DB instead.
Another option would be to put the images in a directory completely unrelated to the web site then serve the images through a scripted page or handler. It would make all of your image urls look like mydomaincom/serveimage.aspx?imageid=323422, but unless you're counting on the name somewhere that really shouldn't matter much. Obviously it would require a modification to the page that serves the images in the first place as well, but if sub directories of this unrelated directory are deleted IIS really shouldn't care at all.
maybe you can store the images in SQL (check at the filestream feature in this case)
if not, I suppose you have somewhere in a business facade class, a service class or wherever you want, a methode "DeleteAd".
This method will have to do two things :
-delete the sql data
-delete the file image
also, you may change the image store to another folder, outside the web app. You will probably end with writing a custom handler (myhandler.ashx?fileid=XX) to serve the files, or a custom route and control if you use MVC.

How should i browse an image file and save at server in asp.net

I have one requirement from client where they want to browse and save their choice Logo image in a website which i am developing.
Really i don't know how it happens and Is there any issue like security i need to consider while implementing this logic?
Please help me to solve
How user (client) will browse image file and where should i store that file in server?
Every indivisual user can browse file of different size and different name; how can i manage at server side so that image appear at right place and in right manner?
Where should i store image corresponding to user id at server; i.e. in database or file?
Is there any security issue/ folder rights when saving file at server?
Please help?
asp.net has a built in file upload control.. that should be all you need
http://msdn.microsoft.com/en-us/library/aa479405.aspx
https://web.archive.org/web/20211020140211/https://www.4guysfromrolla.com/webtech/091201-1.shtml
http://ondotnet.com/pub/a/dotnet/2002/04/01/asp.html
There are also some awesome Third Party controls that have far more power... I happen to like the RadUpload
This is all dealt with the built in controls
Not sure what you're asking in question 2
If images are user specific, then you should store them in some unique file (I personally prefer using the UniqueIdentifier of the UserID in the Membership Provider... It's harder to "crack" than an ID number (depending on how hidden these image need to be)... you could also store in the database if you need to keep the images completely away from the application so that they cannot be accessed outside of you application.
the application needs to have write permissions to the folder that your storing the images in if you choose to store in a folder instead of the database.

Resources