-1

My Symfony 3 web application has a user login control managed by FOSUserBundle. I am fine checking on login status on server side controlling all necessary actions a user may or may not do.

Now a user can upload images. There is a view that shows the user all of its images. To provide the frontend the needed img-pathes for this user-galery view I pass all the pathes for this users images to the frontend and then show it there.

This is were I get confused: How do I restrict access to this img-pathes to the respective (logged in) user only and deny it to all others? Or: How do I provide images to a frontend web view without using an img-path accessible for everyone? Is there a way to do this by using Symfony/FOSUserBundle functionality?

mapmalith
  • 1,303
  • 21
  • 38
user3440145
  • 793
  • 10
  • 34

2 Answers2

1

This works for me:

Leave everything as it is but call a php-script to retrieve the images instead loading an image directly. So I only changed the "src" attribute in the img-tag to call a script and pass the img-name as a GET-parameter, in general this is:

<img src="[server]/image.php?img=xy.jpg">

The resulting route in Symfony is a bit different obviously, like:

<img src="[server]/my/img/loading/route/xy.jpg">

In the controller handling the request required access rights are checked for the requested image and a response is prepared:

$response = new Response();
$response->setContent( file_get_contents($imgPath) );
$response->setStatusCode( Response::HTTP_OK );
$response->headers->set( 'Content-type', $mimeType );
$response->headers->set( 'Content-length', filesize($imgPath) );

Returning this response from the respective controller action method now works fine.

user3440145
  • 793
  • 10
  • 34
0

you will need ACL (Access Control List) for this. one solution is use a table with imageID and Allowed userID so that you can check for a given image and access allowed users from that table/Entity and give the image path for that users. Further make sure to use the right relationships to the image, image_user and user entities.

How do I restrict access to this img-pathes to the respective (logged in) user only and deny it to all others?

How do I provide images to a frontend web view without using an img-path accessible for everyone?

for the two of above, in your controller, check the allowed images for the logged in user in image_user and get the image paths for that specific user and pass them to the view/twing (you can use array for this)

mapmalith
  • 1,303
  • 21
  • 38
  • Thank you. I didn't have problems with the general access control though. My problem really was a front end issue. See my answer for details. Sorry if the question was not that clear. – user3440145 Nov 03 '16 at 18:14