Restrict access to uploaded files


We have made an ‘uploads/’ folder in ‘/basic/web/’ directory, where we store PDF reports and images.

So, the URL formed to view these files is something like; "http://<domain>/basic/web/uploads/<filename.pdf>"

Thus, URL is public and anybody having the URL is able to view files.

We need to restrict access to files;

  1. if the user is logged-in

  2. if user has certain permissions [authorize() is already written. We need to just give a call to this function.]

Can somebody help me with approach to restrict user access to files?

  1. Put files out of webroot.

  2. Serve these via controller action.