0

I think I might be missing a basic concept here. I'm working on a system where users can upload and download files. The users work in groups, meaning that you upload a file to a user group. If they choose to make the file private, only members of the user group gets the link to the file - everyone else can just see that there is a file, but will not get the link. So far so good - but if I have access, I can just copy the link and send it to you, and you will still have access, so I'm thinking, I should deny access to the file directly within the file system. These users and user groups are all just made in regular php saved in a mysql database. The DB contains the links to the files, but not the files themselves - they are on the disc, since they can be quite huge sometimes.

So I looked up UNIX file permissions in PHP, and I can see that I can use chmod() to set permissions for owner, owner-group and others - I can also see how to change the owner of a file with chown(), and owner group with chgrp(). - I also get how to retrieve the current file owner and usergroup. But I see no way of telling the filesystem which user I am, and I feel like I could be thinking about these commands in the wrong way. If these commands are indeed made for this, there should be a set_current_user function or something, to change the session state for the UNIX system, so that it knows if I have access of not. I can not find such a method though, and that I why I worry. That somehow there is just one global user for what PHP accesses, that can not be specified for each end user.

I hope my problem is clear enough, but otherwise, please let me know, so that I can provide further information. I can not be the first person to have had this problem.

I already keep the files in folders with random naming to avoid someone guessing file names/destinations - and I considered some pretty ... bad ... solutions, but this is the solution I want - if it is possible.

ekad
  • 14,436
  • 26
  • 44
  • 46
Henrik
  • 81
  • 5
  • why not relying on database to store your files permissions, something like "role based access" ? unix file permission is a totally different. – hassan Apr 23 '17 at 13:20
  • The database already knows who have access to the files - but if someone else gets a direct link to the file, then they will have access regardless of the database, since the DB only contains links to the files, and not the actual files. – Henrik Apr 23 '17 at 13:28
  • as a work around, you may create a middle-ware to check out this. – hassan Apr 23 '17 at 13:30
  • I could make a .htaccess file in the root of my files folder, that redirects all links to a single php file, which would then check the DB for permission before actually redirecting to the file. - is that what you are suggesting? – Henrik Apr 23 '17 at 13:33
  • I really think you are confusing the system user with the user of your application. What method of access are you looking at ? web, ftp, ....? – frz3993 Apr 23 '17 at 13:35
  • no, for example checkout http://stackoverflow.com/questions/13454083/secure-file-download-in-php-deny-user-without-permission and http://stackoverflow.com/questions/3010423/how-to-let-users-with-required-permission-download-a-file-via-php – hassan Apr 23 '17 at 13:36
  • frz3993: That is what I feared. This will only be web access. hassan: I think you found what I could not. Looks like I should try out X-Sendfile and symlinks, to see which works best for me – Henrik Apr 23 '17 at 13:53

0 Answers0