In a CakePHP3 application that requires Authentication/Authorization, I have the possibility of images being uploaded.
Now I would like to avoid Users being able to see other users images by e.g. guessing image names or such.
Also I would like to use the ids of the entities as filenames which would make it also easy to guess.
So how would you implement authorization for assets?
Asked
Active
Viewed 62 times
-2
Tolga
- 262
- 5
- 16
1 Answers
1
I would prevent the "guessing" of filenames just by generating a random long enough unguessable string of chars as the new filename, like Facebook does with uploading photos:
Because we shouldn't bother at all with the original name of files, we could rename the file that a user uploads. For example User 24976 uploads a file that is called tomato12.png. The upload script will then rename the file to (for example) the following name:
1481540475_24976_iDewM51NYrBYgnIh.png
It consists out of four parts:
[timestamp]_[userId]_[randomString].[suffix]
And then, save the filename into the database. If you would look into the uploads directory, you could be able to see which user has uploaded which file, but an outsider that has no rights to see the directory index would never be able to guess the name of a file. No authentication needed.
Koen
- 422
- 3
- 16