Protect Files security

(Andrewbilham) #1


I have a uploads file outside of the protected folder.

In here i store the images for “previous work” and i have started to store the files for users it stores quotes with their personal information) the issue is that i can browse to this location with no “access rights” meaning the files are accessible to everyone.

how am i best structuring this?


(Alexander Makarov) #2
  1. Keeping files out of webroot.
  2. Serving them with

(Andrewbilham) #3

thank you.

i have moved their location but now struggling with the simplest thing! i have this controller action but when i link to it, i just keep getting #404 page does not exists

I know using Forbidden exception isn’t the right thing just a place holder while i was testing.

 public function actionViewQuote($id)

        $model = quote::findOne($id);

        $file =Yii::$app->basePath.$model->quote_path;

                 return Yii::$app->response->xsendFile($file);
                  throw new ForbiddenHttpException('You do not have permission to view this page.');


button im using:

                '<span class="glyphicon glyphicon-new-window"></span>', 
                ['viewQuote', 'id' => $model->id], 
                    'title' => 'View',
                    'target' => '_blank',

(Alexander Makarov) #4

Have you adjusted webserver root as well?

(Andrewbilham) #5

Thanks you for your response but forgive me … what would i need to change?

All i have done is move the uploads folder to the _protected location.

What would i need to change in the webroot?

(Alexander Makarov) #6

Well, then it’s weird. Moving uploads should not result in 404 for controller.

(Andrewbilham) #7

Thats what i thought.

Would you expect that button and controller to return the PDF?

(Alexander Makarov) #8

Yes if you have a quote with the id given.

(Andrewbilham) #9

thank you!

got that working!

but now the file downloads but at 0mb do you know why?

return Yii::$app->response->xsendFile($file, $model->quote_path, ['inline' => false])->send();

(Alexander Makarov) #10

Try sendFile(). If it works, you probably have a problem with your web server config.

(Andrewbilham) #11

well if i do that i get the below although a whole page of it.

%PDF-1.4 %���� 3 0 obj &lt;&gt; /Contents 4 0 R&gt;&gt; endobj 4 0 obj &lt;&gt; stream x��X�n�F}�WL�@���I?U��i����(��H+[�DZ;ߓ��U�,ɒ]e����ٹ��Y�{���!�c}Pp!���{��w���Ec�G�����t�&gt;ep�^�6��&lt;�˼�%�F��R���#f^���̮� 8a��!� nXE#�_/>E�o�’�Q� "�r]����XZX��P�a>���=O�8:��ٵ�t��t7�N髣Y<�B��6���k&lt;-f/(�.# c�?���ڎw�L_3�ͨ3

(Alexander Makarov) #12

Good. That means one thing left is to send content-type so your browser triggers download.

(Andrewbilham) #13

I thought that the sendfile method set the headers?

(Alexander Makarov) #14

No. It sends the content.

(Andrewbilham) #15

How do you send content type when using sendfile?

I do really appreciate your continued help

(Alexander Makarov) #16

Well, actually it should trigger download but check arguments for ideas.