How to secure Laravel Storage folders
up vote
2
down vote
favorite
In my project i have implemented auth and ACL for my controllers and routes. Im have too a file upload system accessible only if the user is logged. It's work fine.
My problem is on the uploaded files. The user can access any file if have a file url. How i can implement auth on uploaded files?
I tried with routes, but when acccess my file through the bowser the file is show like if not have a route intercepting this url.
i was used this code:
Route::get('/storage/document/3/4a15c1ab060be8f35.png', function () {
return 'ok';
});
How i can implement auth on specific folders on storage? Thanks!
php laravel authentication storage acl
asked Nov 10 at 13:43
Luciano Braga
337
add a comment |
up vote
2
down vote
favorite
In my project i have implemented auth and ACL for my controllers and routes. Im have too a file upload system accessible only if the user is logged. It's work fine.
My problem is on the uploaded files. The user can access any file if have a file url. How i can implement auth on uploaded files?
I tried with routes, but when acccess my file through the bowser the file is show like if not have a route intercepting this url.
i was used this code:
Route::get('/storage/document/3/4a15c1ab060be8f35.png', function () {
return 'ok';
});
How i can implement auth on specific folders on storage? Thanks!
php laravel authentication storage acl
asked Nov 10 at 13:43
Luciano Braga
337
add a comment |
up vote
2
down vote
favorite
up vote
2
down vote
favorite
In my project i have implemented auth and ACL for my controllers and routes. Im have too a file upload system accessible only if the user is logged. It's work fine.
My problem is on the uploaded files. The user can access any file if have a file url. How i can implement auth on uploaded files?
I tried with routes, but when acccess my file through the bowser the file is show like if not have a route intercepting this url.
i was used this code:
Route::get('/storage/document/3/4a15c1ab060be8f35.png', function () {
return 'ok';
});
How i can implement auth on specific folders on storage? Thanks!
php laravel authentication storage acl
asked Nov 10 at 13:43
Luciano Braga
337
In my project i have implemented auth and ACL for my controllers and routes. Im have too a file upload system accessible only if the user is logged. It's work fine.
My problem is on the uploaded files. The user can access any file if have a file url. How i can implement auth on uploaded files?
I tried with routes, but when acccess my file through the bowser the file is show like if not have a route intercepting this url.
i was used this code:
Route::get('/storage/document/3/4a15c1ab060be8f35.png', function () {
return 'ok';
});
How i can implement auth on specific folders on storage? Thanks!
php laravel authentication storage acl
php laravel authentication storage acl
asked Nov 10 at 13:43
Luciano Braga
337
asked Nov 10 at 13:43
Luciano Braga
337
asked Nov 10 at 13:43
Luciano Braga
337
asked Nov 10 at 13:43
Luciano Braga
337
asked Nov 10 at 13:43
Luciano Braga
337
337
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
2
down vote
accepted
If you want to restrict access to files per user based on some sort of permission, you'll need to build that permission logic yourself (StackOverflow isn't going to do your job for you), but for the sake of answering this question, let's assume you already have that permission system in place and in order to check whether the user has access, our function is hasAccessToFile which basically just does a look up based on whatever your business logic requires.
Instead of serving all files publicly, you can serve individual files, here's a very brief example:
Route::get('files/{pathToFile}', function($pathToFile) {
if (auth()->user()->hasAccessToFile($pathToFile)) {
return response()->file($pathToFile);
} else {
return 'Nope, sorry bro, access denied!';
}
});
See the File Responses documentation.
If you need to provide downloads of the files rather than serving of them, similarly:
Route::get('files/{pathToFile}', function($pathToFile) {
if (auth()->user()->hasAccessToFile($pathToFile)) {
return response()->download($pathToFile);
} else {
return 'Nope, sorry bro, access denied!';
}
});
See the File Downloads documentation.
answered Nov 10 at 14:14
Stephen Lake
1,0411123
The part of show the file if the user has permission is not problem. But this not work if the file is on the public folderstorage/app/public. How i can make it for protect a subfolder ofpubliclikestorage/app/public/docs?
– Luciano Braga
Nov 10 at 14:42
2
Don’t use the public folder or any sub directories for protected files. If you need to display a protected image or download a file then serve it over an endpoint(route) you can control.
– adam
Nov 10 at 18:13
1
@LucianoBraga Adam just said it. You're not supposed to make everything public if you don't want everything to be public. If you want to serve files privately, then they cannot be accessible in storage via the public resource directory. Makes sense right?
– Stephen Lake
Nov 10 at 19:54
1
@LucianoBraga That's right, move them anywhere you like outside of the public directory, preferably the storage folder and if your storage folder is symlinked, you'll need to ensure the destination folder isn't publicly readable, obviously.
– Stephen Lake
Nov 11 at 10:50
1
OK. Thanks for all!!
– Luciano Braga
Nov 11 at 11:33
|
show 1 more comment
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
accepted
If you want to restrict access to files per user based on some sort of permission, you'll need to build that permission logic yourself (StackOverflow isn't going to do your job for you), but for the sake of answering this question, let's assume you already have that permission system in place and in order to check whether the user has access, our function is hasAccessToFile which basically just does a look up based on whatever your business logic requires.
Instead of serving all files publicly, you can serve individual files, here's a very brief example:
Route::get('files/{pathToFile}', function($pathToFile) {
if (auth()->user()->hasAccessToFile($pathToFile)) {
return response()->file($pathToFile);
} else {
return 'Nope, sorry bro, access denied!';
}
});
See the File Responses documentation.
If you need to provide downloads of the files rather than serving of them, similarly:
Route::get('files/{pathToFile}', function($pathToFile) {
if (auth()->user()->hasAccessToFile($pathToFile)) {
return response()->download($pathToFile);
} else {
return 'Nope, sorry bro, access denied!';
}
});
See the File Downloads documentation.
answered Nov 10 at 14:14
Stephen Lake
1,0411123
The part of show the file if the user has permission is not problem. But this not work if the file is on the public folderstorage/app/public. How i can make it for protect a subfolder ofpubliclikestorage/app/public/docs?
– Luciano Braga
Nov 10 at 14:42
2
Don’t use the public folder or any sub directories for protected files. If you need to display a protected image or download a file then serve it over an endpoint(route) you can control.
– adam
Nov 10 at 18:13
1
@LucianoBraga Adam just said it. You're not supposed to make everything public if you don't want everything to be public. If you want to serve files privately, then they cannot be accessible in storage via the public resource directory. Makes sense right?
– Stephen Lake
Nov 10 at 19:54
1
@LucianoBraga That's right, move them anywhere you like outside of the public directory, preferably the storage folder and if your storage folder is symlinked, you'll need to ensure the destination folder isn't publicly readable, obviously.
– Stephen Lake
Nov 11 at 10:50
1
OK. Thanks for all!!
– Luciano Braga
Nov 11 at 11:33
|
show 1 more comment
up vote
2
down vote
accepted
If you want to restrict access to files per user based on some sort of permission, you'll need to build that permission logic yourself (StackOverflow isn't going to do your job for you), but for the sake of answering this question, let's assume you already have that permission system in place and in order to check whether the user has access, our function is hasAccessToFile which basically just does a look up based on whatever your business logic requires.
Instead of serving all files publicly, you can serve individual files, here's a very brief example:
Route::get('files/{pathToFile}', function($pathToFile) {
if (auth()->user()->hasAccessToFile($pathToFile)) {
return response()->file($pathToFile);
} else {
return 'Nope, sorry bro, access denied!';
}
});
See the File Responses documentation.
If you need to provide downloads of the files rather than serving of them, similarly:
Route::get('files/{pathToFile}', function($pathToFile) {
if (auth()->user()->hasAccessToFile($pathToFile)) {
return response()->download($pathToFile);
} else {
return 'Nope, sorry bro, access denied!';
}
});
See the File Downloads documentation.
answered Nov 10 at 14:14
Stephen Lake
1,0411123
The part of show the file if the user has permission is not problem. But this not work if the file is on the public folderstorage/app/public. How i can make it for protect a subfolder ofpubliclikestorage/app/public/docs?
– Luciano Braga
Nov 10 at 14:42
2
Don’t use the public folder or any sub directories for protected files. If you need to display a protected image or download a file then serve it over an endpoint(route) you can control.
– adam
Nov 10 at 18:13
1
@LucianoBraga Adam just said it. You're not supposed to make everything public if you don't want everything to be public. If you want to serve files privately, then they cannot be accessible in storage via the public resource directory. Makes sense right?
– Stephen Lake
Nov 10 at 19:54
1
@LucianoBraga That's right, move them anywhere you like outside of the public directory, preferably the storage folder and if your storage folder is symlinked, you'll need to ensure the destination folder isn't publicly readable, obviously.
– Stephen Lake
Nov 11 at 10:50
1
OK. Thanks for all!!
– Luciano Braga
Nov 11 at 11:33
|
show 1 more comment
up vote
2
down vote
accepted
up vote
2
down vote
accepted
If you want to restrict access to files per user based on some sort of permission, you'll need to build that permission logic yourself (StackOverflow isn't going to do your job for you), but for the sake of answering this question, let's assume you already have that permission system in place and in order to check whether the user has access, our function is hasAccessToFile which basically just does a look up based on whatever your business logic requires.
Instead of serving all files publicly, you can serve individual files, here's a very brief example:
Route::get('files/{pathToFile}', function($pathToFile) {
if (auth()->user()->hasAccessToFile($pathToFile)) {
return response()->file($pathToFile);
} else {
return 'Nope, sorry bro, access denied!';
}
});
See the File Responses documentation.
If you need to provide downloads of the files rather than serving of them, similarly:
Route::get('files/{pathToFile}', function($pathToFile) {
if (auth()->user()->hasAccessToFile($pathToFile)) {
return response()->download($pathToFile);
} else {
return 'Nope, sorry bro, access denied!';
}
});
See the File Downloads documentation.
answered Nov 10 at 14:14
Stephen Lake
1,0411123
If you want to restrict access to files per user based on some sort of permission, you'll need to build that permission logic yourself (StackOverflow isn't going to do your job for you), but for the sake of answering this question, let's assume you already have that permission system in place and in order to check whether the user has access, our function is hasAccessToFile which basically just does a look up based on whatever your business logic requires.
Instead of serving all files publicly, you can serve individual files, here's a very brief example:
Route::get('files/{pathToFile}', function($pathToFile) {
if (auth()->user()->hasAccessToFile($pathToFile)) {
return response()->file($pathToFile);
} else {
return 'Nope, sorry bro, access denied!';
}
});
See the File Responses documentation.
If you need to provide downloads of the files rather than serving of them, similarly:
Route::get('files/{pathToFile}', function($pathToFile) {
if (auth()->user()->hasAccessToFile($pathToFile)) {
return response()->download($pathToFile);
} else {
return 'Nope, sorry bro, access denied!';
}
});
See the File Downloads documentation.
answered Nov 10 at 14:14
Stephen Lake
1,0411123
edited Nov 10 at 14:19
answered Nov 10 at 14:14
Stephen Lake
1,0411123
answered Nov 10 at 14:14
Stephen Lake
1,0411123
answered Nov 10 at 14:14
Stephen Lake
1,0411123
1,0411123
The part of show the file if the user has permission is not problem. But this not work if the file is on the public folderstorage/app/public. How i can make it for protect a subfolder ofpubliclikestorage/app/public/docs?
– Luciano Braga
Nov 10 at 14:42
2
Don’t use the public folder or any sub directories for protected files. If you need to display a protected image or download a file then serve it over an endpoint(route) you can control.
– adam
Nov 10 at 18:13
1
@LucianoBraga Adam just said it. You're not supposed to make everything public if you don't want everything to be public. If you want to serve files privately, then they cannot be accessible in storage via the public resource directory. Makes sense right?
– Stephen Lake
Nov 10 at 19:54
1
@LucianoBraga That's right, move them anywhere you like outside of the public directory, preferably the storage folder and if your storage folder is symlinked, you'll need to ensure the destination folder isn't publicly readable, obviously.
– Stephen Lake
Nov 11 at 10:50
1
OK. Thanks for all!!
– Luciano Braga
Nov 11 at 11:33
|
show 1 more comment
The part of show the file if the user has permission is not problem. But this not work if the file is on the public folderstorage/app/public. How i can make it for protect a subfolder ofpubliclikestorage/app/public/docs?
– Luciano Braga
Nov 10 at 14:42
2
Don’t use the public folder or any sub directories for protected files. If you need to display a protected image or download a file then serve it over an endpoint(route) you can control.
– adam
Nov 10 at 18:13
1
@LucianoBraga Adam just said it. You're not supposed to make everything public if you don't want everything to be public. If you want to serve files privately, then they cannot be accessible in storage via the public resource directory. Makes sense right?
– Stephen Lake
Nov 10 at 19:54
1
@LucianoBraga That's right, move them anywhere you like outside of the public directory, preferably the storage folder and if your storage folder is symlinked, you'll need to ensure the destination folder isn't publicly readable, obviously.
– Stephen Lake
Nov 11 at 10:50
1
OK. Thanks for all!!
– Luciano Braga
Nov 11 at 11:33
The part of show the file if the user has permission is not problem. But this not work if the file is on the public folder
storage/app/public. How i can make it for protect a subfolder of public like storage/app/public/docs?– Luciano Braga
Nov 10 at 14:42
The part of show the file if the user has permission is not problem. But this not work if the file is on the public folder
storage/app/public. How i can make it for protect a subfolder of public like storage/app/public/docs?– Luciano Braga
Nov 10 at 14:42
2
2
Don’t use the public folder or any sub directories for protected files. If you need to display a protected image or download a file then serve it over an endpoint(route) you can control.
– adam
Nov 10 at 18:13
Don’t use the public folder or any sub directories for protected files. If you need to display a protected image or download a file then serve it over an endpoint(route) you can control.
– adam
Nov 10 at 18:13
1
1
@LucianoBraga Adam just said it. You're not supposed to make everything public if you don't want everything to be public. If you want to serve files privately, then they cannot be accessible in storage via the public resource directory. Makes sense right?
– Stephen Lake
Nov 10 at 19:54
@LucianoBraga Adam just said it. You're not supposed to make everything public if you don't want everything to be public. If you want to serve files privately, then they cannot be accessible in storage via the public resource directory. Makes sense right?
– Stephen Lake
Nov 10 at 19:54
1
1
@LucianoBraga That's right, move them anywhere you like outside of the public directory, preferably the storage folder and if your storage folder is symlinked, you'll need to ensure the destination folder isn't publicly readable, obviously.
– Stephen Lake
Nov 11 at 10:50
@LucianoBraga That's right, move them anywhere you like outside of the public directory, preferably the storage folder and if your storage folder is symlinked, you'll need to ensure the destination folder isn't publicly readable, obviously.
– Stephen Lake
Nov 11 at 10:50
1
1
OK. Thanks for all!!
– Luciano Braga
Nov 11 at 11:33
OK. Thanks for all!!
– Luciano Braga
Nov 11 at 11:33
|
show 1 more comment
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53239589%2fhow-to-secure-laravel-storage-folders%23new-answer', 'question_page');
}
);
Post as a guest
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
