Allow PDF generator to access Image after user security check implemented.

I am currently using DomPDF with a Laravel wrapper to generate PDFs. (https://github.com/barryvdh/laravel-dompdf)

It works great, but I recently implemented user authentication to make sure that only authorized users can access certain images. It works as expected, but the problem is that when I generate a PDF, it fails the authentication and thus the images are not added in the PDF.

So the real question is, how do we check that Service Providers are trying to access a resource? If it isn't a user accessing a resource, but instead some process, how can we go about checking that?

I actually have a question outstanding here:

http://stackoverflow.com/questions/30289819/pdf-generation-process-cannot-load-images-after-adding-security-check

Thanks!

phildawson

11 years ago

Level 26

So you have a proxy to the image with some middleware/logic like (Auth::check()) protecting from only allowing logged in users. I would have thought the session/cookie be passed with the request?

I assume you are checking logged in on the PDF generation so you could probably do this and forget the proxy check:

<img src="/var/www/domain/path/to/storage/image.jpg" />

As far as your other question testing access you could determine this I guess by checking the current URI

app('router')->current()->uri();

if something was resolved out of the container from another class you could use debug_backtrace()

        $backtrace = debug_backtrace();

        if (
            isset($backtrace[2]["class"]) &&
            isset($backtrace[2]["function"]) &&
            $backtrace[2]["class"] == "Illuminate\Routing\Controller" &&
            $backtrace[2]["function"] == "callAction"
        )
        {
            // 'usual routing';
        }

        if (
            isset($backtrace[1]["object"]) &&
            isset($backtrace[1]["function"]) &&
            $backtrace[1]["object"] instanceof FooController &&
            $backtrace[1]["function"] == "bar"
        )
        {
            // 'bar method in FooController made the call';
        }

Or as backtrace is potentially unreliable, pass a flag in the call and check the param on the method?

$bar = app()->make('App\Http\Controllers\FooController')->bar($internalCall = true);

WKMG

11 years ago

Level 1

Thanks so much for your input!

That’s right; you would think the session/cookie IS passed with the request, but the fact that Auth::check() fails only in PDF generation would say that it is not.

Yes, we are checking if the user is allowed to generate the PDF, but I still need to have the security on the image URL itself so that no one on the internet can just go to it.

I get problems when I try to run debug_backtrace. It runs recursively and generally doesn’t seem to have any useful information. Other than that, I’m not sure how to apply the code you’ve shown here. I appreciate your input all the same, however.

And all in all, I don't see why this solution should be so difficult. I'm accessing the resource while logged in using a Facade which should pass session variables, but for some reason it doesn't...

phildawson

11 years ago

Level 26

@WKMG Sorry yeah I meant continue with the proxy and the files out of the public access like in storage, but simply update the src in the view that gets turned into the PDF to be the server path to the image. This looks like it shouldn't work but it does.

<img src="<?php echo storage_path('files/image.jpg') ?>" />

^ Based on having an image.jpg in a files folder in your storage.

Please or to participate in this conversation.