File access based on permissions

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
p3x
Forum Newbie
Posts: 9
Joined: Thu Nov 11, 2004 4:35 am

File access based on permissions

Post by p3x »

Hello,

I am currently about to make a system which enables users to access pdf and doc files from the server. However, the files that can be accessed vary per user. So it could happen that user A can access files f1, f2 and f3, while user B can only access f3 and user C can access f5 and f6.

I could ofcourse put all the files in the same folder and then have a script which checks the username and compares it to a list of allowed files for that user. The problem with that is that a user could simply bypass the script by typing the direct URL to a file in the address bar. This way he would still be able to access all the files. This could be prevented with htaccess in the folder, but that would mean that I have to make subfolders with different htaccess for each user... lots of work PLUS the user would have to login twice...

So I was thinking databases... Maybe it could be wise to store all the documents in a database and then when a user request a .doc or .pdf, just let a script generate the file from the database. Security-wise this would be safer... I think (?)...

Any more ideas or better ideas??


Thanks in advance
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

you can do it with an htaccess in a single folder and a simple authorization script for performing the actual download.

The htaccess would use Deny From All. My own servers have this is several folders where I want to track file accesses and things..
Post Reply