1

Since I am new to Laravel, I am facing some issues in file system and security concerns, my question is..

How to restrict direct access to files in laravel ( http://localhost/projectname/public/uploads/sample.pdf)

I don't want the user to show (get the access) of folder where the files are being save. Problem is if he show the folder he will try to access other files via. directly opening the document path, which is not secure as per privacy point. Just want to prevent any unauthorized access to the file...!

Any valuable feedback will he highly appreciated.

Amit Gupta
  • 11
  • 3
  • 9
  • Don't put them in public is probably the easiest method. – Devon Bessemer Sep 08 '18 at 18:18
  • First of all thanks for the reply. Even if i keep it in local directory , the user can Inspect the url and know the actual storage location and can easy download the file by the url link even if he is not logged in. In worst case he can use brute-force algo to get into the system. – Amit Gupta Sep 08 '18 at 18:42
  • They shouldn't be able to if you configure your web server correctly. The user should never be able to access files outside of the public directory. – Devon Bessemer Sep 08 '18 at 18:51
  • no offence... can you plz help me out, how it will be done... – Amit Gupta Sep 08 '18 at 18:57
  • i have a upload and preview button in my webpage. once the upload is done. while preview the actual url is shown. Which is accessable this is wat i wan to prevent. – Amit Gupta Sep 08 '18 at 19:06
  • Well don't do it that way... read and research my answer. There's no way to use PHP to restrict direct access to files publicly available in your web server. – Devon Bessemer Sep 08 '18 at 19:10
  • i have to show the file to user ( make it view able ) not download able... As mentioned below. Even the url generated for the storage files. If user inspect the page, he can get the access even from out side... – Amit Gupta Sep 10 '18 at 09:11
  • got some help from https://quickadminpanel.com/blog/file-upload-in-laravel-the-ultimate-guide/ but still problem continues.... – Amit Gupta Sep 10 '18 at 09:13
  • @AmitGupta what is your final solution? I'm in similar situation can you help me with that? – Nikhil Radadiya Jul 02 '19 at 12:48
  • https://stackoverflow.com/questions/30682421/how-to-protect-image-from-public-view-in-laravel-5/30682456#30682456 – Maytham Fahmi Jul 04 '19 at 21:31

1 Answers1

3

Store it in your storage directory, not your public directory.

Then provide a link that uses a file download response: http://laravel.com/docs/5.6/responses#file-downloads, in which you can verify authorization.

Never allow access outside your public directory.

Devon Bessemer
  • 34,461
  • 9
  • 69
  • 95