Protect Files security


I have a uploads file outside of the protected folder.

In here i store the images for “previous work” and i have started to store the files for users it stores quotes with their personal information) the issue is that i can browse to this location with no “access rights” meaning the files are accessible to everyone.

how am i best structuring this?


  1. Keeping files out of webroot.
  2. Serving them with

thank you.

i have moved their location but now struggling with the simplest thing! i have this controller action but when i link to it, i just keep getting #404 page does not exists

I know using Forbidden exception isn’t the right thing just a place holder while i was testing.

 public function actionViewQuote($id)

        $model = quote::findOne($id);

        $file =Yii::$app->basePath.$model->quote_path;

                 return Yii::$app->response->xsendFile($file);
                  throw new ForbiddenHttpException('You do not have permission to view this page.');


button im using:

                '<span class="glyphicon glyphicon-new-window"></span>', 
                ['viewQuote', 'id' => $model->id], 
                    'title' => 'View',
                    'target' => '_blank',

Have you adjusted webserver root as well?

Thanks you for your response but forgive me … what would i need to change?

All i have done is move the uploads folder to the _protected location.

What would i need to change in the webroot?

Well, then it’s weird. Moving uploads should not result in 404 for controller.

Thats what i thought.

Would you expect that button and controller to return the PDF?

Yes if you have a quote with the id given.

thank you!

got that working!

but now the file downloads but at 0mb do you know why?

return Yii::$app->response->xsendFile($file, $model->quote_path, ['inline' => false])->send();

Try sendFile(). If it works, you probably have a problem with your web server config.

well if i do that i get the below although a whole page of it.

%PDF-1.4 %���� 3 0 obj &lt;&gt; /Contents 4 0 R&gt;&gt; endobj 4 0 obj &lt;&gt; stream x��X�n�F}�WL�@���I?U��i����(��H+[�DZ;ߓ��U�,ɒ]e����ٹ��Y�{���!�c}Pp!���{��w���Ec�G�����t�&gt;ep�^�6��&lt;�˼�%�F��R���#f^���̮� 8a��!� nXE#�_/>E�o�’�Q� "�r]����XZX��P�a>���=O�8:��ٵ�t��t7�N髣Y<�B��6���k&lt;-f/(�.# c�?���ڎw�L_3�ͨ3

Good. That means one thing left is to send content-type so your browser triggers download.

I thought that the sendfile method set the headers?

No. It sends the content.

How do you send content type when using sendfile?

I do really appreciate your continued help

Well, actually it should trigger download but check arguments for ideas.

1 Like