Hi DD,
I think it would be good if you saved images outside of webroot
structure. E.g. web/app/data
However if you want to keep the same structure, and if you are using
Apache, you could set up this type of scheme:
1. User requests img/abc.jpg
2. Apache picks up on the URL and rewrites it as:
/images/get?name=abc.jpg
3. In the controller images write an action 'get' and check that the
user is logged in, if they're logged in, return the image (e.g. using
MediaView).
You can drop the rewrite rule into an .htaccess file in the webroot/img
folder so it only affects this folder.
The rewrite rule might look like this:
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*) [NC]
RewriteRule ^(.*) /images/get?name=$1
Of course this will solve your problem but:
1. it will have a performance impact (every request for an image will go
through the PHP process);
2. every image will be rewritten including images that may not need the
user to be logged in
(2) can be alleviated by smarter rewrite condition and you could also
check, in the 'get' action that the image is one that requires the user
to be logged in.
Cheers,
Doug
On 27/07/11 09:04, DigitalDude wrote:
Hey,
today I was wondering on how to solve a specific task: I have a Cake
app where users can upload images. As most of us know the image folder
in the webroot is public and anyone could view these images, as long
as they know the filename (listing of index is prohibited).
Another way is to put uploaded files on an image server via ftp and
save the filename to the database.
The problem I have now is, let's say users terminate their account on
my app and still know a few filenames, they could just type in the
address with the filename and would still see the image!
I guess the problem is the same when I have an image server...
So when a file is called abc.jpg, and it was available at
http://myapp/img/abc.jpg,
also not logged in users could still view this image.
I'm looking for an idea or a way to protect this image so only logged
in users can view it. It may be ok when other logged in users could
view it when they know the address. But it would be very intersting if
anyone would have a clue if it would be possible to protect them from
a direct access via typing it into a browser as a url...
Any ideas or hints for this?
Regards,
DD
--
Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions.
To unsubscribe from this group, send email to
[email protected] For more options, visit this group at
http://groups.google.com/group/cake-php
