Public and Private resource management

Question

I am building a web application in PHP. Users will access with their accounts. They will have resources like their pictures, notes, etc. in the system, as in Facebook.

My first problem is not letting anybody to access an account's private resource. Let say this is a picture. There are 3 situations:

1. Everybody can access to that picture with URL of picture.
2. A friend account of that picture's owner account can access that picture.
3. Only owner account can see that picture, no body else. Even with URL of picture.

I don't know if Facebook does anything like point 1. Because business is important, and also privacy of users.

My first idea was making all resource accesses through a PHP file. But after a while it looked like really complex.

My another idea was keeping a list of all resources in a database table, and privacy setting together. This looks like a better idea, but I am not sure how performance will be affected in time.

What are your thoughts, how would you build a system like this?

P.S. I am planning to add one more web application, and create a shared resource area to put shared resource into. I will need same privilege system there as well.

Answer 1

Hm..

1. You have "User_ID" in application.
2. You have directory (url) u want to access.
3. This Directory have its owner "User_ID" in it. Like /store/user_9892/album_2/beer&girls.jpg

So u can execute one SQL query which checks if in-directory "User ID" is current application executioner id or he has owner as a friend. In that case- give access. Else - redirect with 403 header (or else).
This means u dont need any tables with resources and etc. Simply check owner\friend state with extremely fast SQL query.

EDIT:
For other account delegating u may simply add into your 'user' table field.. lets name for example 'access_accounts'. Maybe serialized array, may be special-character separated text. Again all we did - checking in one SQL query for permissions for current User_ID.

If we need to go further and define any folder any access rights (for any person, for any person group and etc)... So yes, I guess there must be a table with structure like [path]=>[access_id]. But the idea works again - simple one SQL check.

P.S. all of this means that I vote for "making all resource accesses through a PHP file". It is easily can be done with .htaccess and php-script with some SQL queries and rules in it.

Answer 2

In my experience you can best solve this by uploading your files to a directory that is not available publicly. Then you would also have some table in your database where you'd have at least three columns: the name of the file, the access level you want to give it and the user that uploaded the file.

You could then write something that checks if the visiting user has access to the file. First it would retrieve the column containing information about the mentioned file. Based on that information, if the user has access, use readfile (see the example on the PHP manual) to display the file. In all other case you could just show a 403 Forbidden page.

In your case the function that checks access would look something like this:

function hasAccess($accesslevel, $owner, $visitor) 
{
    if ($accesslevel === 'public') {
        return true;
    }
    if ($accesslevel === 'private') {
        return $owner === $visitor;
    }
    if ($accesslevel === 'friends') {
        return $owner === $visitor || isfriend($visitor, $owner);
    }
}

This is just an example, your implementation would probably be a little different, depending on your environment.

As far as I know Facebook just allows all files to be viewed by everyone, but tries to create a url that is difficult to guess. As soon as you've got the url, you can just view the image itself, regardless of the privacy-settings of the user that uploaded the image.