6

In my project, I have implemented auth and ACL for my controllers and routes. I have a file upload system accessible only if the user is logged. It's work fine.

My problem is on the uploaded files. The user can access any file if have a file URL. How I can implement auth on uploaded files?

I tried with routes, but when accessing my file through the browser the file is shown as if not have a route intercepting this URL.

I have used this code:

Route::get('/storage/document/3/4a15c1ab060be8f35.png', function () {
  return 'ok';
});

How can I implement auth on specific folders on storage? Thanks!

siddiq
  • 1,693
  • 3
  • 17
  • 44
Luciano Braga
  • 253
  • 1
  • 3
  • 9

2 Answers2

13

If you want to restrict access to files per user based on some sort of permission, you'll need to build that permission logic yourself (StackOverflow isn't going to do your job for you), but for the sake of answering this question, let's assume you already have that permission system in place and in order to check whether the user has access, our function is hasAccessToFile which basically just does a look up based on whatever your business logic requires.

Instead of serving all files publicly, you can serve individual files, here's a very brief example:

Route::get('files/{pathToFile}', function($pathToFile) {

    if (auth()->user()->hasAccessToFile($pathToFile)) {
        return response()->file($pathToFile);
    } else {
        return 'Nope, sorry bro, access denied!';
    }

});

See the File Responses documentation.

If you need to provide downloads of the files rather than serving of them, similarly:

Route::get('files/{pathToFile}', function($pathToFile) {

    if (auth()->user()->hasAccessToFile($pathToFile)) {
        return response()->download($pathToFile);
    } else {
        return 'Nope, sorry bro, access denied!';
    }

});

See the File Downloads documentation.

Stephen Lake
  • 1,582
  • 2
  • 18
  • 27
  • The part of show the file if the user has permission is not problem. But this not work if the file is on the public folder `storage/app/public`. How i can make it for protect a subfolder of `public` like `storage/app/public/docs`? – Luciano Braga Nov 10 '18 at 14:42
  • 2
    Don’t use the public folder or any sub directories for protected files. If you need to display a protected image or download a file then serve it over an endpoint(route) you can control. – Adam Rodriguez Nov 10 '18 at 18:13
  • 1
    @LucianoBraga Adam just said it. You're not supposed to make everything public if you don't want everything to be public. If you want to serve files privately, then they cannot be accessible in storage via the **public** resource directory. Makes sense right? – Stephen Lake Nov 10 '18 at 19:54
  • @snh Yes, make sense. I understand it, but i have files in the public folder that i want turn into private. In this case, the solution is move this files for another folder, right? – Luciano Braga Nov 11 '18 at 10:40
  • 2
    @LucianoBraga That's right, move them anywhere you like outside of the public directory, preferably the storage folder and if your storage folder is symlinked, you'll need to ensure the destination folder isn't publicly readable, obviously. – Stephen Lake Nov 11 '18 at 10:50
  • 1
    OK. Thanks for all!! – Luciano Braga Nov 11 '18 at 11:33
  • Looks like this is LFI vuln if you have the correct permissions, looks good but needs more logic – Jaquarh Jul 19 '21 at 11:05
  • @jaquarh Possibly, but that's out of scope of OP. Perhaps you can contribute a tutorial on protecting local files? – Stephen Lake Jul 20 '21 at 13:16
  • 1
    Perhaps it would be enough to just strip any traversal attempts out of it, ie `../` but you could get creative and make something robust. Although, rightly so, far outside OPs scope, people still visit SO questions and CTRL+C CTRL+V without any thoughts on what they're putting into their application @StephenLake – Jaquarh Jul 20 '21 at 13:52
3

You can refer to my answer here. The process includes creating a new Storage Disk that saves files on /storage/app/ (not in public folder) and validating the request before serving the file to the user.

Abdelsalam Shahlol
  • 1,621
  • 1
  • 20
  • 31