2

I am creating a program that is capable of storing PDFs for the user. These PDFs are stored in web/uploadedFiles/uploads/documents.

Lets say user A uploads a document X.pdf. User A do not want User B to be able to access this document. As it is now, User B can type: www.[url].com/web/uploadedFiles/uploads/documenets/x.pdf and view the file. How can I make sure file X.pdf is only viewable for User A (And those user A says can view the file for that matter).

firewalls:
    secured_area:
       pattern: ^/
       anonymous: ~
       http_basic:
          realm: "Secured Demo Area"

    main:
        pattern: ^/
        form_login:
            provider: fos_userbundle
            csrf_provider: form.csrf_provider
        logout:       true
        anonymous:    true

access_control:
    - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/admin/, role: ROLE_ADMIN }
    - { path: ^/uploadedFiles/, role: ROLE_ADMIN }

To make it easier I first tried to make the "folder" only accessible for admins.

tl;Dr: Make complete folder in /web/ only accessible for admins.

  • 5
    You should store your PDFs outside of `web` folder and access them through PHP. This way you will have complete control over access rights. See my answer here - http://stackoverflow.com/questions/18880785 – dmnptr Jun 09 '14 at 16:06
  • 1
    Absolutely. Use the DBMS to track whereabouts of each file and read them (e.g. via `file_get_content()`) – Jovan Perovic Jun 09 '14 at 16:08
  • Thank you for the answers. I did at at one point put the PDF outside web. But i could still reach them with a URL. www.[somesite].com/ploadedFiles/uploads/documenets/x.pdf Would still display the PDF. How do i control access rights in general, regarding files? –  Jun 09 '14 at 20:57
  • The only directory that should be able to be accessed via the web should be the web folder. Any other way, and you've done it wrong. You can easily do achieve this in subfolders by using symlinks. – Seer Jun 10 '14 at 23:21

1 Answers1

0

It has been long, but I thought my answer might be helpful.

If you have to keep it in any directory under web you can have that directory htaccess protected, so that any file under that folder will not be visible to the browser. You can have a .htaccess file under that directory with content as : 

deny from all

Then, write a controller route which would take your file path / id as parameter and decide the control of file based on the login user. If the user is allowed to access the file. You can read the file and force the file to download.

Jeet
  • 1,587
  • 1
  • 9
  • 22