Protect the uploads folder


I have the folders "uploads/user1", "uploads/user2", etc, where users upload their private files.

But I want those folders are protected. Inaccessible from the browser.


Just put them inside the /protected folder. As the name suggests, it is protected. If I may suggest, create a module, then create an ‘assets’ folder in the module, then put there your uploads folder. Though it is not necessary, I think it is more organized so as to know which module owns the uploads folder.

After putting your uploads folder inside ‘protected’ folder, you might want to visit this to manipulate your protected assets. For example, use CAssetManager’s publish to,well,publish your protected assets. :)

Thank you very much Macinville, I’ll try to put the files within the module ADMIN.

Is it better to put the files into the assets folder and manage with CAssetManager, or put directly into a folder called ‘uploads’? What are the benefits?

(sorry for muy english, I use google translate…;)

You should not put any content manually in the assets folder as this folder is used by the framework to publish asset files…-

So it’s better to use a custom folder like uploads

Thanks for your clarification mdomba.

I created the folder ‘protected/uploads’. But I do not know how to access it.

I have this inside a view of muy Admin module:

<a href"<?php echo Yii::app()->baseUrl ?>/uploads/image_1.jpg">Download</a>

it does not work…

Let me explain the functionality of the site.

I have 2 modules module/admin and module/customers.

From admin I can upload files to folders for each customer. And from the module customers through authentication, customers can access and download only the files in their folder.

Let’s first clarify some points…

In your first post you wrote: "Inaccessible from the browser." But from the last post you want this files to be accessible from the browser ?

So you put the files in the protected/upload folder… is this location accessible from the web?..

I mean if the protected folder is under your domain… than you can access the files as "baseUrl/protected/uploads" instead of "baseUrl/uploads"… but if the protected folder is outside the web accessible directory then you cannot make a link to it or any subdirectory…

Ok, I need a place where customers upload their own files. These files can only be downloaded through the modules (/admin, /customers) with a visual interface. The files are not public for everyone.

I mean, a client can only download his files. But you can’t download files from another client and can not access them via url.

I do not know if I explained properly …

My structure:





/protected/uploads/customer_1 ??

/protected/uploads/customer_2 ??

Thanks for your help.

To restrict access, I suggest you use a database to store the uploaded files instead of the file system.

I would create a separate public “upload” folder. This way, you can reuse your module in other projects and it won’t have project specific user data. You can restrict browsing access by using an .htaccess file but will still be able to use the pictures for display purposes.


I solved whith this:

public function actionDownload($filename)


	       $path =  Yii::getPathOfAlias('application.uploads').DIRECTORY_SEPARATOR.Yii::app()->user->id.DIRECTORY_SEPARATOR.$filename;


	        Yii::app()->getRequest()->sendFile(basename($path), @file_get_contents($path));         


to access /protect/uploads/user_id/filename.

using the mentioned above code i get 403 You are not authorized to perform this action.

Any Idea or m i missing anything?