Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Narares's avatar

How to prevent the file from public on Digital Ocean Space?

Hi everyone I stuck on Digital Ocean that I want to prevent my file from the public.

First of all. I set the .env file like this

DO_SPACES_KEY= THE KEY
DO_SPACES_SECRET= THE SECRET
DO_SPACES_ENDPOINT=https://sgp1.digitaloceanspaces.com
DO_SPACES_REGION=sgp1
DO_SPACES_BUCKET= MY BUCKET NAME
DO_SPACES_URL=https://mydomain.sgp1.digitaloceanspaces.com

Then I set the config->filesystem.php

'do_spaces' => [
    'driver' => 's3',
    'key' => env('DO_SPACES_KEY'),
    'secret' => env('DO_SPACES_SECRET'),
    'region' => env('DO_SPACES_REGION'),
    'bucket' => env('DO_SPACES_BUCKET'),
    'url' => env('DO_SPACES_URL'),
    'endpoint' => env('DO_SPACES_ENDPOINT'),
    'visibility' => 'public',
],

After that make the controller store the file

    //convert image name
    $stringImageReFormat=base64_encode('_'.time());
    $ext=$request->file('image')->getClientOriginalExtension();
    $imageName=$stringImageReFormat.".".$ext;
    $imageEncoded=File::get($request->image);

    //upload & insert
     Storage::disk('do_spaces')->put('public/user_image/'.$imageName,$imageEncoded);

    // Insert Data to Table
    $user=new User();
    $user->image=$imageName;
    $user->save();

On my blade template, I retrieve the file like this

{{ Storage::disk('do_spaces')->url('public/user_image/'.$user->image) }}

This is what I get when I don't set the visibility to public

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<Error>
<Code>AccessDenied</Code>
<BucketName>mybucket</BucketName>
<RequestId>tx0000000000000088d0617-00607228ae-13200e4-sgp1b</RequestId>
<HostId>13200e4-sgp1b-sgp1-zg02</HostId>
</Error>

If I set the visibility in the filesystem.php to public. I can see the files without authentication.

Thank you in advance for any help or advice.

0 likes
5 replies
jlrdw's avatar

One technique is: https://laravel.io/forum/04-23-2015-securing-filesimages

And use authentication. I normally have users id as part of file name to verify. Something like:


    public function displayImage() {

        $basedir = storage_path('app/upload');
        $imagedir = Request::input('dir');
        $image = Request::input('img');
        $string = $image;
        $str = (int) Cln::findId($string, "_", ".");

        If (Auth::id() != $str) {
          exit(0);
        }
        
        if (Auth::check()) {
            $file = $basedir . '/' . $imagedir . '/' . $image;
            return response()->file($file, array('Content-Type' => 'image/jpeg'));
        }

    }

Also DigitalOcean has guides and articles as well.

A good starting point is their documentation:

https://docs.digitalocean.com/products/spaces/

1 like
Narares's avatar

Thank you for your answer but I don't understand this much. The thing that I have known I already tried.

Snapey's avatar

sounds like it's working as expected

you are giving the browser a url to get the file from. If you set it to private then the user gets access denied. That's what I would expect

1 like
Narares's avatar

Sir, basically we have to set it to the public right? otherwise, the users can't access it?

In my case, I store the value from the form together with the file name and then store it in the same database

and the file to go the path I specified.

If I still need the authenticated users only see the file. What should I do next?

I never store the file in the same folders I separated them one by one.

such as I store a picture of admin I stored them in uploads/images

then I want to store a picture of the article I stored them in uploads/articles

This is a very new thing for me.

jlrdw's avatar

You can put images anywhere in the file system, (out of web folders). You can serve them with a script. In public, anyone can view them.

Are you wanting:

  • Anyone to view them
  • Only owner who "owns" them to view them.

Please or to participate in this conversation.