Level 2
Take a look at this, I think I have seen a video about it on laracast.
Nov 12, 2016
5
Level 16
How to protect images and files
Hi folks, how can I protect images ( and other files as Videos, PDFs etc. ) for public viewing, and only show them to admins and the client it belongs to.
What I'm trying to build in Laravel, is a little file manager, where my clients could log in and see logos and other stuff, which belongs to them only. The problem, I have no clue where and how to start with it. So thanks for any help and advice on how to:
- protect files from public
- allow to view this files only to admins and belonging clients.
Level 122
There are three approaches I can think of just now;
-
You intercept all image and video requests with Laravel, then using the router, serve up the content that the user was after, provided they are authorised. THIS WILL BE SLOW!
-
You rely on obscurity and put all that clients images, videos etc in a folder that has a long-unguessable random url. You can then link to the content in your code using the 'static' folder name. The customer's content will always be in that folder and accessible if they log in or not. The advantage of this compared to 1 is that your framework does not have to boot for every image or video.
-
Have all the content hidden away - possibly in the storage folder. When the user logs in, create a temporary symbolic link between their public folder and their folder in storage. Keep a note of the link in the session. Use the link in all gallery etc rather than the static code used in (2) above. Once they log out the code will no longer be valid, and you can delete the symbolic link on logout or have a job to tidy it up periodically.
3 likes
Level 16
@qteck yeah, there is a video for it. But the filesystem solves more the problem on how to store data on a cloud like Amazon S3 etc. Not on how to protect them. Thank you anyway!
@Snapey , thanks a lot for your approaches! The second one seems quite good and easy. But the risk for sensitive data would be pretty high. I just found this:
public function getFile($filename)
{
return response()->download(storage_path($filename), null, [], null);
}
'The fourth argument of download() being null prevents the Content-Disposition header being set to attachment. So your browser won't ask you save the file, but just show it.'
from here: http://laravel.io/forum/04-23-2015-securing-filesimages
I will try this one. Wich is, I think, will lead to your first approach.
1 like
Level 122
This is alright if the user sees just a text link and clicks 'show' or similar. Probably too slow for an image gallery, and if you want to serve all images this way you will need to tell your web server what content it can serve directly and what needs to come through index.php
Level 16
@Snapey thanks for the info, maybe i'll combine your second approach and response::download. For the preview gallery, i'll use random URL and for the sensitive downloadable zip file response::download as above.
Please or to participate in this conversation.