How to control permission of user before opening a file?

@catchickenMar 17.2009

Hi every one,

I try to explore this by myself without any success. Greatly thank if you can figure it out for me. Sorry if there may have something similar to my question in this forum. I am new here.

OK, the question is, how could you control permission of users before giving them the file (like PDF, jpg). Look unclear? I am not asking about requesting a php file, since we can easily control permission of users and redirect them if they are not login.

More details, assume that the website has a group name A. Group A uploads a file, say example.pdf in the server. I want ONLY them have permission to view and download this file (anyother people can’t see this, even though they may have the actually link).

Even more detail, assume that the address of the file in server is

~~[url]~~http://www.myserver.com/group/exampe.pdf[/url]

As default, anyone can request this file (since it is PDF – NOT PHP so that I can control/check visitor’s permission). I cant not manually cmod each file in the server, of course. I want ONLY group A can download the file!

Could you PHP expert help me solve this problem? I actually try by myself a lot but I have to give up.

to post a comment

PHP

6 Comments(s) _↴

@Phill_PaffordMar 17.2009 — #Sounds like you need to use sessions.

The concept being that you need to use a database for the file/image/pdf/etc.. to keep track of the group usage permission.

// Use table would hold the user info

MySQL Table: Users

Columns: user_id, user_name

// Group table would hold the group info

MySQL Table Groups

Columns: group_id, group_name

// User_Group table would hold what users are in what group, a user can be in multiple groups and have more than one record

MySQL Table: User_Groups

Columns: group_id, user_id

// The files table tells you what groups have access to what files, you could also set en expiration date so that the file would become unavailable if needed.

MySQL Table: files

Columns: file_id, group_id, file_name, file_permission

Just a thought

@StevishMar 17.2009 — #I think the way to do it would be to store the file outside of the public_html folder (where it is not accessible directly from the web). Then using php, check to see if the user is authorized to access that file, then create a temporary copy of the file that the user can download.

If you have trouble with the temporary part, you could generate a random filename and save it on the server. Then (probably using a database table) store the time it was created. Then at the beginning of each call to the script, you can run a function that deletes all the temporary files that are older than 10 minutes (or however long you want the temporary file to be avaliable for. With this option, the file would be publicly accessible for 10 minutes, but the user would have to guess the random filename.

There may be a better way, but that's how I would try to tackle this myself

@catchickenauthorMar 17.2009 — #I think the way to do it would be to store the file outside of the public_html folder (where it is not accessible directly from the web). Then using php, check to see if the user is authorized to access that file, then create a temporary copy of the file that the user can download.

If you have trouble with the temporary part, you could generate a random filename and save it on the server. Then (probably using a database table) store the time it was created. Then at the beginning of each call to the script, you can run a function that deletes all the temporary files that are older than 10 minutes (or however long you want the temporary file to be avaliable for. With this option, the file would be publicly accessible for 10 minutes, but the user would have to guess the random filename.

There may be a better way, but that's how I would try to tackle this myself[/QUOTE]

Yeah... I did think of generating random file name. But that kind of technique is quite awkward when dealing with thousand of files, and continuously deleting file is dangerous.

For your first suggestion "using PHP to check" - I know how to do so with a php file. But HERE IT IS PDF OR JPG. It is not php or server code. Embedding is not a go solution, since it is just a way to hide the link.

Thank Phill Pafford. I actually not ask about creating database. Here I am working on a flat PDF, PNG, JPG file without server code. That is my difficulty.

I MEAN, there must be a server code, but how to implement it, while I only have a PDF?

@bhavik_thegameMar 18.2009 — #Ok.

In orer to upload a file you are using Server side script, right?

i.e Group A uploads a file by using a php script on a page.

In order to track of which persons should have access to the file you need to store them somewhere.

So, its necessary to use a database & a server side php script.

After using a db,,, things php can handle things easily.

@Mr__E__CrypticMar 18.2009 — #this link will take you through the process of 'securing' the file (ie. any requests for the direct file are forced to a php page for processing.)

Hopefully it helps you get started.

@StevishMar 18.2009 — #Sweet. I think Mr. E. has your solution. In case you want to make sure before you read through that long article, here's a summary:

You create a php snippet that will send the necessary headers to send the file to the user. Then, to make sure users can't access the file directly, you use .htaccess to bounce all file requests to that php script.

That way you can have that script authenticate the user (by checking the database or whatever other means you have for checking permissions) before sending out the headers.

Also in #PHP _↴

onclick goto [RESOLVED] Email in php Weird Number inserted into the MySQL

Success!

Help @catchicken spread the word by sharing this article on Twitter...

Tweet This

How to control permission of user before opening a file?

6 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

How to control permission of user before opening a file?

6 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

6 Comments(s) _↴

Also in #PHP _↴