User Account Directory Access

[font=“Arial,”][size=“4”]this problem is not really uncommon, but i don’t really have an idea how can I implement this. I have 500 registered users in my mini-forum and they have files uploaded in my server. As my users already mapped my directory structure in my web server, they were able to access the files uploaded of my registered users even they don’t own it. I want to make my users access their own files ONLY and not the files of others. I’m thinking of using htaccess but that approach is kinda obscure.[/size][/font]

[font="Arial,"][size="4"]If you have any ideas or suggestion please kinda post an answer ^^ thanks [/size][/font]

[font="Arial,"][size="4"]Example: user "mami" has a folder named "mamifolder" but user "dadi" must not able to access "mamifolder". user "dadi" can only access "dadifolder"[/size][/font]

[font=“Arial,”][size=“4”]I have already read about the Yii’s RBAC but Yii’s RBAC is authorization item based… which means I can only suppress unauthorized actions within my controllers and not accessing of files.[/size][/font]

[size="2"]Solutions that I know but has major cons[/size][size="2"]

  1. is to store all the files in the database(cons: this is a really bad practice since the days of PHP 4, its not really a good practice)

  2. is to make the uploaded files protected by htaccess and let the php render the uploaded file(cons: another bad practice which makes a web app very slow to load. for example private images will be loaded using php. what if there are many private images will be loaded at the same time in a same page)[/size]

What I did in a project is provide an action to retrieve the file, and never put directly the file url anywhere.

That means that when they upload a file, you can first rename it then put it a specific subfolder, and put the path and/or filename in your db.

Then when they request the file, they don’t click on a standard link, but rather on an action that will check access rules, then retrieve the full filepath+name from the db and then serve the correct headers and contents.

There are downsides, notably that users will never be able to link directly to any file, even if they are their own.

There may / should be other ways.

Thanks for reply

that’s also my another option, but i’m concern about speed, what if there is 10 private files to be rendered in a same page? I think it will be very very slow somehow…

Yeah i hope there will others way that will be posted here

Interesting topic …

But, can you please be a little bit more specific.

  • First off all, if you want to hide the content from a folder to be shown while typing in the browser address bar something like just put a blank index.html in each user folder. I’m sure that you’ve already done that :wink:

  • Then what do you mean by "to be able to access" ?

I made a template app where the users gets their own dir to which they can upload files.

Thx to elfinder they also get powerfull possibilites, creating sub directories,

add new files, rename,replace,etc etc

Then its just simple to restrict the entire /files/users folder which you easily find out how to do using google:)

Thanks Sampa for the tip and for the template app. Keep up the good job.

After reading your comment, I’ve googled it and found this: How to restrict user access to content in folders using PHP and Apache .htaccess files :slight_smile: