Hi all. I am working on an application for which there are two levels of user. User level 1 must upload files to the server, and user level 2 must be able to download any files uploaded by users of level 1. I have already implemented page level security to restrict each level user to the pages for which they are authorised. My problem is that for user level 2 to be able to download these files, they must be placed somewhere within the webroot. I want to prevent user level 1 from downloading these files as they are only intended for downloading by users of level 2.
The only idea I had was to store all files outside of the webroot, and when a user of level 2 wants to download these files, they are copied to somewhere in the webroot, with a filename such as "$current-PID_$current-unixtime_$filename". Furthermore, periodically, (every hour for example), delete all files in this folder which are older than an hour. This way, by also preventing directory listing of this folder, the only way a user of level 1 could get these files would be to guess the PID, unix timestamp, and filename, all within an hour (before they are cleaned away again). This I dont think is very likely. Can anyone either point out any major problems with this approach, or alternatively (preferably), suggest a better alternative ? In case it makes any difference to peoples ideas/views, I am not using Apache for access control. Users authenticate against a database, then on each page they visit, their user level (taken from the session object) is checked against the access level required for that page. I am using Apache::ASP (latest), mod_perl 1.99, Apache2 (latest), perl 5.6.1 Thanks for any advice / feedback Richard --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
