Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
When a user uploads a file and you store it, to then display it back to the user I've been embedding the link to the image like an asset. The problem is that the web server now handles this and it skips PHP/Laravel altogether which means no authentication/authorization. The file does have a hash (md5?) for the file name which means for a user to try to find other user uploaded files would take a lot of time, though not impossible.
How are you guys embedding user uploaded images and still checking if the image can be shown with Laravel auth?
Is there a Laracasts video anyone can link me on this?
@ryanmortier I upload files to S3 and files are only viewable via a signed URL. The signed URL is only generated if the authenticated user is actually allowed to view that file in the first place: https://laravel.com/docs/8.x/filesystem#temporary-urls
@martinbean That looks like what I need to do. Unfortunately I'm not currently using the S3 driver. Is it possible to securely show images and files using the local driver?
@ryanmortier Not without reading images from disk, into memory, only to just return them again, which would be a waste of your server’s resources. Especially if an image you’re loading exceeds the amount of memory available to that PHP process at that time.
@ryanmortier I used an adaptacion of: https://laravel.io/forum/04-23-2015-securing-filesimages
Of course I modified as needed.
@jlrdw Awesome, I'll give this a go. Thanks.
@ryanmortier my version is heavily modified, I used the authenticated users ID inside the file name.
Ann124asdc_127.jpg example only
I have a helper function that plucks out the 127 it is the user ID. The example assumed that the current authenticated uses auth ID is 127.
I'm on mobile now not at my desktop, but there's many ways you can adapt that.
Please or to participate in this conversation.