0

I'm building a web app (in PHP) that allows to assign HTML resources (HTML pages) to users. A user should only be able to access pages assigned to him. The problem is that if a user gets URLs to these pages and then i revoke his permission to that page, he will still be able to access it.

Is there some way to only allow these HTML pages to load from an iframe in my app (in my domaine for example..) ? this way i will do the needed checks in my web app, and load the page in an iframe if the user has access otherwise, no one can access it.

Badr
  • 177
  • 4
  • 17

1 Answers1

0

Is there some way to only allow these HTML pages to load from an iframe in my app (in my domaine for example..) ?

No. At least not in ways that aren't trivial to bypass.

Generate your HTML from PHP which does authn/authz instead.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • I thought about this, but unfortunately i can't. I have a ton of HTML pages (generated with some documentation tool). – Badr May 13 '19 at 15:01
  • 1
    Does the documentation tool generate static files? Keep the files outside the web root and wrap them with a PHP script that does authn/authz, works out what file to load based on the URL (use the front controller pattern), and then uses `readfile` to send it to the client. – Quentin May 13 '19 at 15:04
  • I tried this but, the problem is, these pages contain urls to navigate...with this approach those links don't work. – Badr May 13 '19 at 15:09
  • Then you'll need to rewrite the URLs on the way through. – Quentin May 13 '19 at 15:10
  • could you please provide an example ? – Badr May 13 '19 at 15:11