Control access to documents

Question

Control access to documents

Asked 7 years, 1 month ago

Viewed 63 times

0

I am creating an application to manage files, the files are being saved in a local directory "localhost/uploads...", I have a table "documents" with a field "urldoarquivo", where save the file path, I also have my users table, now I need to define which user can view/download/list a particular document...

Ex: formulario.doc - can be viewed by the user CARLOS, MARCOS and LUCAS...

If anyone knows how I can do it, I’m using codeigniter, I have no idea how to do it, I’m desperate.

Thanks in advance!

Tip: Just doing this through software does not guarantee that users who do not have permission to a particular file can manipulate. Example if he knows the address he can download the file even having no authorization. The idea I believe there is another.

– novic

2017/10/08 at 14:58
then @Virgilionovic I have the download URL but it is always in different directory, download example/jdnfdfad/.doc file, it sends to the download page the path you want to download, so the user never knows where the document really is, because it creates a name for each path with 8 digits....

– Luan Amado

2017/10/08 at 15:27
1

@Luanamado see the links indicated in the closing. Almost all the given solutions even allow you to put the file outside the directory of the site, not to resort to this idea of trying to hide the path (which is easily broken with brute force, trying combinations of characters). The "secret" (which is no secret) is that the file is never accessible by the web server, and must be intermediated by PHP. By using x-sendfile, which is one of the proposed solutions, you even avoid script overload.

– Bacco

2017/10/08 at 17:12

1 answer

Browser other questions tagged php mysql codeigniter

You are not signed in. Login or sign up in order to post.

by Adriano Campos • 51 points · Answer 1 · 2017-10-08T16:10:36+00:00

@Beloved what you can do is first create a link table between the user and the document.

Table Example:

CREATE TABLE `viculo` (
`id_vinculo` int(11) NOT NULL AUTO_INCREMENT,
`id_documento` int(11) NOT NULL,
`id_usuario` int(11) NOT NULL,
PRIMARY KEY (`id_vinculo`)
);

And then in the "controler" of Codeigniter in the function that you use to handle the download, before you download, you load a "model" that will have access to the "link" table, and call a function in the "model" to check if the user has a link with this document, this return function TRUE or FALSE.

Model Example

class Viculo_Model extends CI_Model{
    var $table = 'vinculo';
    public function verificar_vinculo($documento,$usuario){
        $this->db->where('id_documento =', $documento);
        $this->db->where('usuario =', $documento);
        $this->db->get($this->table);
        $query = $this->db->get('usuarios');
        $vinculo = $query->row(0);
        if(!$usuario) return false;         
        return true;            
    }
}

If TRUE continues with the download, if FALSE redirects the user to a "view" informing the user that it is not allowed to download.

Example Controler

$this->load->model('vinculo_model');
$vinculo = $this->vinculo_model->verificar_vinculo($documento,$usuario);
if ($vinculo) {
    // coloque aqui o a função de realiza o download
} else {
    // carrega view informando que o usuário não tem permissão
    $this->load->view('sem_permisao', $data);
}