Currently when a user uploads a file, they are stored in /public/uploads which was fine, but now I've just tried to add a route of uploads which conflicts with the directory which is protected by nginx.
That coupled with the fact that I don't want the files to be directly available using just the http://mydomain.com/uploads/name_of_file URL has lead me to think that I should do one of the following:
Look at S3
Rename the uploads directory to anything else
Store the files in the storage directory
What are your thoughts? What are the implications of the above?
I use the storage dir for uploaded files then return the file via a download() response. There's a little performance hit as you're booting up the framework for every file, but the overhead didn't really matter for me - thankfully the sites aren't very popular ;-) I also figured it was a nice way to hide the implementation so if I needed to shift things around the code path should (no - don't laugh!) stay much the same :-)
I thought about the same approach. Right now I have zero users as I'm building an MVP so best practices, and all that jazz aren't the main factors. I'm a perfectionist but right now I'm in "just get it done" mode, so that sounds like a good solution.
Renaming the uploads directory to anything else wouldn't fix the issue, would it?
Keeping everything at the storage directory vs an S3 server - it depends whether the server your app runs on can (and should) deal with all the uploaded files and possible download bandwidth, without affecting everyone else's experience while using the application.
Renaming the uploads directory to anything else wouldn't fix the issue, would it?
Yes it does as my route uploads/ was trying to access the directory, and not my Controller method.
Right now, I'm not worried about performance, upload download as this is a proof of concept. But yes, in practice it would definitely be a major consideration.
@ohffs what would the method look like that downloads the file?
To everyone else, what is a good way to protect the files? I don't think I'm too concerned with passwords, but I would like to limit downloading the file to (a) the person who uploaded it, and (b) the teacher of the module the the file essentially "belongsTo".
I've been using S3, taking the uploaded file and moving it straight onto S3 where it is encrypted using the inbuilt S3 encryption. It streams the file so can handle large files because the file is not read into RAM.
In your controller, and assuming you have configured your S3 bucket settings: