I have a web app with user accounts protected using sfGuardPlugin for authentication and access control.
The users can upload files to their profiles. These files are stored in the uploads folder. I would like to be able to prevent these files to be accessed directly by using an .htaccess / .htpasswd. Now at the same time I would like to make them available to authenticated users through the symfony web app.
Is this possible. How? Very much appreciate your thoughts.
I think the safest solution would be to totally disable http access to the protected files folder (e.g. by moving it outside the document root or by using htaccess).
Instead of directly linking to a file in this protected folder you then link to some php script that gets the filename as argument. This php script checks whether the current user has access to the requested file and initiates the download or shows the file.
Note that depending on your setup it might be sufficient to create a mod_rewrite rule in your .htaccess that redirects all requests to the protected files folder to this php script. This way you do not need to change your templates at all.
The advantage of this approach is that you can access your user database or the user session and implement a fine grained access control without touching the htaccess or needing a htusers. Disadvantage is the overhead of the php script.
All your protected files need to be in one special folder (you can have sub-folders there, this does not matter). Let's say this folder has the name 'protected'.
Then you want to redirect every request whose path starts with the folder name 'protected' to the download script and provide the requested file name as a parameter for this script. So the rule should look something like this: