Hi, I have created some clients. Each of these user should have its own folder on a non-public disk containing some images or files that he can upload on his own. Only to be clear, I don’t use the public disk (app/public), but I have created my own local disk with: 'clients' => [ 'driver' => 'local', 'root' => storage_path('app\clients'), ], Each client must have only access to his own folder, but NOT to the folders of other clients. What is the best solution to ensure, that each client has only access to his own files? I read about gates and polices (laravel.com/docs/10.x/authorization), but I fear that this is not a suitable approach. Do I have to write a middleware, that checks before each request whether the requested file lays within the folder belonging to the client? Do you have a better recommendation to deny access to files outside his own folder?
files that are not in the public folder are not directly accessible, so each request for an image or to list the files in the folder must be handled by your application.
During this request you can simply limit the responses to only the files in the client's folder.
The complexity is not where you think it is.
Thanks for your fast answer. I forgot to write, that I access all the files only with an API, exactley as you probably asssumed. Currently I'm thinking that the best way is to add an middleware to the corresponding routes/routegroups, that checks each time the folder before the request itself.
@ElmarHilber You don't need middleware because the client should not know anything about the folder. They can only access files in their account, not in a specific folder.
Let me explain better. My folder structure: client1000
client1002
client1003
I have a view with the url www.myapp.com/files/1000 that shows all the files of a client with the client-number 1000. The number in the url corresponds to the client-number. When that URL is called, the route goes to the folder 1000 and returns a list of all files that than are than shown to the client. When the same still authenticated user with the client-number 1000 changes by hand the url to www.myapp.com/files/1001, he gets access to the files belonging to another client with client-number 1001. To avoid this possibility, I have to introduce some security mechanism to prevent access to all other folders beside its own.
@ElmarHilber Not sure if this can help, but you can return a 401 error if the authenticated user (a.k.a client, I am guessing) id is not the id passed through the url.
@ElmarHilber let me explain myself more clearly because you are having some sort of mental block with my replies
Why is the user allowed to specify /files/1000?
Why not just /files and then in your controller, you get the folder number from the user account and show them files from 1002 folder (for example)
If you don't give them a route exposing the folder then you don't need to protect against them changing the url
Thank you for your advice. I removed the number from the path as you recommended and solved so the problem. Thx
Please or to participate in this conversation.