2

this problem is not really uncommon, but i don't really have an idea how can I implement this. I have 500 registered users in my mini-forum and they have files uploaded in my server. As my users already mapped my directory structure in my web server, they were able to access the files uploaded of my registered users even they don't own it. I use a PHP framework called Yii and MySQL to manage my users, but I want to make my users access their own files only and not the files of others. I'm thinking of using htaccess but that approach is kinda obscure.

If you have any ideas or suggestion please kinda post an answer ^^ thanks

Example: user "mami" has a folder named "mamifolder" but user "dadi" must not able to access "mamifolder". user "dadi" can only access "dadifolder"

Solutions that I know but has major cons:

1) is to store all the files in the database(cons: this is a really bad practice since the days of PHP 4, it's not really a good practice I think)

2) is to make the uploaded files protected by htaccess and let the php render the uploaded file(cons: another bad practice which makes a web app very slow to load. for example private images will be loaded using php. what if there are many private images will be loaded at the same time in a same page)

Netorica
  • 18,523
  • 17
  • 73
  • 108

2 Answers2

2

For this you have to use Role Base Access Control fortunately Yii provides very strong RBAC implementation.Role-Based Access Control is your thing. You would have to use business rule with it. There are one or more ways for that but this is the best one

For Example

$this->_authManager->createOperation("updateHotel","update Hotel information"); 
$bizRule='return Yii::app()->user->id==$params["model"]->user_id;';
$task = $this->_authManager->createTask("updateOwnHotel","update hotel by manager himself",$bizRule);
$task ->addChild("updateHotel"); 
$role=$this->_authManager->createRole("manager"); 
$role->addChild("updateOwnHotel");

now what above code do? it creates an operationupdateHotel and then creates business Rule that takes parameter then you create task that should be performed in example it is updateOwnHotel then you have to create roles for ex manager or reader what ever you intend to have then assign the role the child of updateOwnHotel.

when doing operation in application you just need to do Yii::app()->checkAccess('updateOwnHotel',$prams) which will return true or false that he can update or not that hotel you can do similar with your case

Afnan Bashir
  • 7,319
  • 20
  • 76
  • 138
  • Yii's RBAC is authorization item based... which means I can only suppress unauthorized actions within my controllers and not accessing of files. – Netorica Mar 16 '12 at 07:36
  • no you would have to define `Roles`,`Tasks` and stuff like this see update ans – Afnan Bashir Mar 16 '12 at 10:10
2

I would say your only option is to move the files out of your public web directory and to use something like this. You just need to store the IDs of the files in the database, not the whole file.

Community
  • 1
  • 1
Puigcerber
  • 9,814
  • 6
  • 40
  • 51
  • is this solution gonna be very slow? i will be rendering 10+ images in a same page at the same time.. – Netorica Mar 16 '12 at 09:31
  • But how are you loading them now? Are you going to load thumbnails of the pictures? – Puigcerber Mar 16 '12 at 09:34
  • Just tag with absolute paths to the files? I can't assure anything, but this is not going to be slower, if all the pictures you are loading in one page belong to the same user it will be just one query to add, and if you want to protect the picture you don't have many choices. – Puigcerber Mar 17 '12 at 13:25