This forum is in READ-ONLY mode.
You can look around, but if you want to ask a new question, please use the new forum.
Home » support » Installation and setup » .htpasswd protection for uploads folder
.htpasswd protection for uploads folder [message #101381] Tue, 22 June 2010 05:10 Go to next message
dacoman  is currently offline dacoman
Messages: 16
Registered: April 2009
Junior Member
Hello,

I have a web app with user accounts protected using sfGuardPlugin for authentication and access control.

The users can upload files to their profiles. These files are stored in the uploads folder. I would like to be able to prevent these files to be accessed directly by using an .htaccess / .htpasswd. Now at the same time I would like to make them available to authenticated users through the symfony web app.

Is this possible. How? Very much appreciate your thoughts.

Thank you,
-D
Re: .htpasswd protection for uploads folder [message #101451 is a reply to message #101381 ] Tue, 22 June 2010 21:41 Go to previous messageGo to next message
claudia_k  is currently offline claudia_k
Messages: 29
Registered: June 2010
Junior Member
Hi there

I think the safest solution would be to totally disable http access to the protected files folder (e.g. by moving it outside the document root or by using htaccess).

Instead of directly linking to a file in this protected folder you then link to some php script that gets the filename as argument. This php script checks whether the current user has access to the requested file and initiates the download or shows the file.

Note that depending on your setup it might be sufficient to create a mod_rewrite rule in your .htaccess that redirects all requests to the protected files folder to this php script. This way you do not need to change your templates at all.

The advantage of this approach is that you can access your user database or the user session and implement a fine grained access control without touching the htaccess or needing a htusers. Disadvantage is the overhead of the php script.

Good luck

Claudia


http://www.knewledge.com
Re: .htpasswd protection for uploads folder [message #101464 is a reply to message #101451 ] Wed, 23 June 2010 07:20 Go to previous messageGo to next message
dacoman  is currently offline dacoman
Messages: 16
Registered: April 2009
Junior Member
Thanks a lot. It sounds like a great idea.

I'm not very familiar with mod_rewrite rules. How a rule might look like let's say for a scrip query: http://myhost/myapp/download.php?f=file.ext

Thank you,
--Dan
Re: .htpasswd protection for uploads folder [message #101518 is a reply to message #101464 ] Thu, 24 June 2010 08:24 Go to previous message
claudia_k  is currently offline claudia_k
Messages: 29
Registered: June 2010
Junior Member
Hi there

All your protected files need to be in one special folder (you can have sub-folders there, this does not matter). Let's say this folder has the name 'protected'.

Then you want to redirect every request whose path starts with the folder name 'protected' to the download script and provide the requested file name as a parameter for this script. So the rule should look something like this:

RewriteRule ^protected/(.+)$ download.php?f=$1 [L]

The [L] at the end tells Apache that none of any following rewrite rules should be applied to this request.

This rule should be the first in your .htaccess - so write it directly below the line with the RewriteBase.

Claudia


http://www.knewledge.com
Previous Topic:doctrine:build-schema issue
Next Topic:Problems concerning model main
Goto Forum:
  

powered by FUDforum - copyright ©2001-2004 FUD Forum Bulletin Board Software