Page 1 of 1

File access based on permissions

Posted: Tue Apr 19, 2005 12:30 pm
by p3x
Hello,

I am currently about to make a system which enables users to access pdf and doc files from the server. However, the files that can be accessed vary per user. So it could happen that user A can access files f1, f2 and f3, while user B can only access f3 and user C can access f5 and f6.

I could ofcourse put all the files in the same folder and then have a script which checks the username and compares it to a list of allowed files for that user. The problem with that is that a user could simply bypass the script by typing the direct URL to a file in the address bar. This way he would still be able to access all the files. This could be prevented with htaccess in the folder, but that would mean that I have to make subfolders with different htaccess for each user... lots of work PLUS the user would have to login twice...

So I was thinking databases... Maybe it could be wise to store all the documents in a database and then when a user request a .doc or .pdf, just let a script generate the file from the database. Security-wise this would be safer... I think (?)...

Any more ideas or better ideas??


Thanks in advance

Posted: Tue Apr 19, 2005 1:53 pm
by feyd
you can do it with an htaccess in a single folder and a simple authorization script for performing the actual download.

The htaccess would use Deny From All. My own servers have this is several folders where I want to track file accesses and things..