Well the files, are in the web directory, but the problem is not about this.
I have a view page of every file, where you can see the file details:name, uploaded by, extension, size, note, and a download button etc…
and to access to this ‘view file’ page, you need normally to click on a file in the GRIDVIEW(witch is filtred by department_id) but my problem is to access directly to the ‘view file’ page.
I don’t think I fully understand, but if you’re using an action, you can restrict access based on the logged in user’s information. Something like the following would probably work fine:
$userDepartmentId = /* get user department ID here */;
$file = File::model()->findByPk($id);
if ($file === null)
throw new CHttpException(404, 'File not found');
if ($file->department_id !== $userDepartmentId)
throw new CHttpException(403, 'Forbidden');
/* send file here */
You can call compare multiple times, it will be added to the criteria.
$criteria = new CDbCriteria();
$criteria->compare('department_id', $user_department_id, true);
$criteria->compare('id', $id, true);
$file = File::model()->find($criteria);
if( ! isset( $file ) ) {
// file not found for this department
} else {
// file found
}
you have to serve the files thru php in order restrict access. just compare the id and throw an exception just like @Keith mentioned but if you rewriting urls its likely apaches/nginx serving the files without hitting that action