[RESOLVED] restricting file access

foid025

Hey. I have a question regarding file access which I can't find posts on by searching... I have a directory full of user files, titled by fid (file id) so like
userfiles/1.txt
userfiles/2.doc
userfiles/3.xls
etc....
Some of these files have password protection on them, some don't. I have a general php page: viewFile.php?fid=** to access a file. That page loads up some info about the file, and then it has a link to download the file.

How can I restrict downloads to users going through that page? Like right now anybody can direct their browser to userfiles/1.txt to download the file. How can I make it so only people that successfuly went to viewFile.php?fid=1 (it has a password script on it) can open the file?

Thanks a lot for the help!

bradgrafelman

Create a .htaccess file in the "userfiles" directory like so:

Order allow,deny
Deny from all

foid025

can you give me some more info as to what you mean? what will this method do? i'ma look into htaccess some more online but can you please give me some more info? thanks...

i thought htaccess could only restrict access to users you specify in advance - and it does it for the whole folder. i want individual files to be available to individual people, with a mysql db telling who can go where...

foid025

I am utterly lost on this after hours of searching...

I want people to access files in the /userFiles/ directory by going through this path:

viewFile.php -> the file

and not just directly going to the file.

this is to make sure that only people who have supplied the correct password can access the file

How do I get this to work? Can I do it by setting tight folder permissions and then using some php command to allow my viewFile.php page to download a file??

Thanks a lot guys.

bradgrafelman

Put the viewFile.php page outside of the userFiles directory, and deny all access to the userFiles directory using the sample .htaccess code I posted above.

foid025

Okay. Thanks, so now I managed to block off all access to the userFiles directory. But now even my viewFile.php file doesn't get access. Is there another .htaccess code that could give it access? Thanks much.

bradgrafelman

As I said earlier:

bradgrafelman wrote:
Put the viewFile.php page outside of the userFiles directory

Alternatively, add this to your .htaccess file:

<Files "viewFile.php">
	Order Deny,Allow
	Allow from All
</Files>

foid025

beautiful. just beautiful. thanks bradgratelman that did it, the second part. thanks a lot, ur my savior for the day! haha

bradgrafelman

foid025 wrote:
thanks a lot, ur my savior for the day!

The thanks is much appreciated... but Jesus is a much better savior than I could ever be 😉

Weedpacket

foid025 wrote:
But now even my viewFile.php file doesn't get access.

This is disturbing: it would appear to mean that viewFile.php is using HTTP to get files from the UserFiles directory (otherwise .htaccess wouldn't be involved). Why is this, when presumably both are on the same server and indeed the same filesystem, and therefore viewFile.php should be using filenames to access the files instead of URLs?

bradgrafelman

I believe he was being vague (or even misleading) on what is being accessed. Since my addition of the <Files> tag worked (according to him), I'm guessing that he meant the user couldn't access the viewFile.php.

foid025

viewFile.php is in the root directory (/www/)
when a user wants to download a file, viewFile.php links to openFile.php with a certain code

openFile.php is in the userfiles directory (/www/userFiles/). it checks the code, and then attempts to read the selected file, which is also in this /userFiles/ directory.

clear??

Weedpacket

foid025 wrote:
clear??

Not quite: what exactly do you mean by "links to"?

foid025

from viewFile.php?uid=555, user clicks on "Download File" which is <a href="userFiles/openFile.php?uid=555&code=123123> where the code is created in the viewFile.php page and then checked in openFile.php. Then the file is opened.

Weedpacket

Ah, I see. Of course, you could put openFile.php in the same place as viewFile.php - leave userFiles/ clear to contain ... user files. Obviously openFile.php would need to be adjusted to look in the userFiles/ subdirectory instead of its own.

foid025

yeahhhh that would have been one way of doing it, but I didn't know how to edit openFile.php to reflect the change at the time. and im very stubborn... when i get a problem, i want to destroy it, not work around it, even if in the end the result is the same and it saves me about three hours of searching. hehee