Controlled access to secret files in laravel-4

Question

Controlled access to secret files in laravel-4

I read that the files in the shared folder are accessible through a web browser in Laravel. When I enter the file path in my shared folder, I do not see the file, unless I have specified a path in the routes.

I am making a download page so that the user can download encrypted / secret materials through.

I do not want the user to access the files in any other way than the upload form or other controlled methods.

Should I create, let's say a private folder and save the files. If I do, will I have access to the files at the back end?

Or are files in a shared folder unavailable if they are not defined by routes? If this is correct, can I just save the files in the open?

+3

public security laravel-4 accessible

rich green Feb 26 '14 at 16:44

source share

2 answers

, middelware" , .

Route::get('routeName', ['middleware' => 'auth', 'uses' =>'XController@action']);

0

Amancho 26 . '16 10:45

Antonio Carlos Ribeiro · Accepted Answer · 2014-02-26T16:55:38+0000

Files in a shared folder are accessible to everyone, unless your web server has a policy set to a specific directory.

If you currently cannot access the file in your shared folder, this is because it is possible that you are spelling the URL incorrectly, that is:

File in

/var/www/myapp/public/img/logo.png

Access will be through:

http://myapp.com/img/logo.png

Please note that the open part of your folder is not in your URL ONLY IF your web server is configured correctly and your file .htaccessis in place and can rewrite your URL.

For confidential files, you can save them in your application folder (or any other folder outside the public folder), which only your application will have access to, something like this might be okay:

/var/www/myapp/app/storage/<create a new folder here>

, :

Route::get('readfile/{fileName}', ['before' => 'auth', 'use' => 'ReadFileController@read']);

'before' => 'auth' , .

- , , :

class ReadFileController extends Controller {

    public function read($fileName)
    {
        if(Auth::user()->id == 1) // of course this is not a good way, just an example
        {
            return $this->getFile($fileName);
        }
        else
        {
            return Response::make(null, 403); // forbidden
        }
    }

    private function getFile($fileName)
    {
        ...
    }

}

Controlled access to secret files in laravel-4

More articles: