Protect Files security

abilham · March 11, 2019, 9:20pm

Evening,

I have a uploads file outside of the protected folder.

In here i store the images for “previous work” and i have started to store the files for users it stores quotes with their personal information) the issue is that i can browse to this location with no “access rights” meaning the files are accessible to everyone.

how am i best structuring this?

Regards

samdark · March 12, 2019, 10:15am

Keeping files out of webroot.
Serving them with https://www.yiiframework.com/doc/api/2.0/yii-web-response#xSendFile()-detail

abilham · March 12, 2019, 10:08pm

thank you.

i have moved their location but now struggling with the simplest thing! i have this controller action but when i link to it, i just keep getting #404 page does not exists

I know using Forbidden exception isn’t the right thing just a place holder while i was testing.

 public function actionViewQuote($id)
    {

        $model = quote::findOne($id);

        $file =Yii::$app->basePath.$model->quote_path;

                if(file_exists($file))
                {
                 return Yii::$app->response->xsendFile($file);
                }else{
                  throw new ForbiddenHttpException('You do not have permission to view this page.');
                }

    }

button im using:

Html::a(
                '<span class="glyphicon glyphicon-new-window"></span>', 
                ['viewQuote', 'id' => $model->id], 
                [
                    'title' => 'View',
                    'target' => '_blank',
                 ]
                 );

samdark · March 13, 2019, 1:47pm

Have you adjusted webserver root as well?

abilham · March 13, 2019, 2:17pm

Thanks you for your response but forgive me … what would i need to change?

All i have done is move the uploads folder to the _protected location.

What would i need to change in the webroot?

samdark · March 13, 2019, 5:32pm

Well, then it’s weird. Moving uploads should not result in 404 for controller.

abilham · March 13, 2019, 6:46pm

Thats what i thought.

Would you expect that button and controller to return the PDF?

samdark · March 13, 2019, 9:24pm

Yes if you have a quote with the id given.

abilham · March 13, 2019, 9:45pm

thank you!

got that working!

but now the file downloads but at 0mb do you know why?

return Yii::$app->response->xsendFile($file, $model->quote_path, ['inline' => false])->send();

samdark · March 13, 2019, 9:51pm

Try sendFile(). If it works, you probably have a problem with your web server config.

abilham · March 13, 2019, 9:56pm

well if i do that i get the below although a whole page of it.

%PDF-1.4 %�� 3 0 obj <> /Contents 4 0 R>> endobj 4 0 obj <> stream x��X�n�F}�WL�@��I?U��i��(��H+[�DZ;ߓ��U�,ɒ]e��ٹ��Y�{��!�c}Pp!��{��w��Ec�G��t�>ep�^�6��<�˼�%�F��R��#f^��̮� 8a��!� nXE#�_/>E�o�’�Q� "�r]��XZX��P�a>��=O�8:��ٵ�t��t7�N髣Y<�B��6��k<-f/(�.# c�?��ڎw�L_3�ͨ3

samdark · March 14, 2019, 11:21am

Good. That means one thing left is to send content-type so your browser triggers download.

abilham · March 14, 2019, 12:08pm

I thought that the sendfile method set the headers?

samdark · March 14, 2019, 4:45pm

No. It sends the content.

abilham · March 14, 2019, 7:22pm

How do you send content type when using sendfile?

I do really appreciate your continued help

samdark · March 15, 2019, 1:15pm

Well, actually it should trigger download but check https://www.yiiframework.com/doc/api/2.0/yii-web-response#sendFile()-detail arguments for ideas.