Member Avatar for vinnyroundfoot

Hi Everyone,

I will soon develop a web application (normally with PHP (cakePHP)) which should allow the users to view their related PDF files. Obviously, I dont' not want that users are able to view other user's PDF files (using for example URL rewriting). I'm looking for a solution for that issue.

I know that a can restrict access to directories (and thus files) using .htAccess but in this case, how can I use the login/password used by the user to log into the application ?

Can someone give me a solution or give me some guideline ?

Thanks

VinnyRoundFoot

  • 3 Contributors
  • 4 Replies
  • 1K Views
  • 4 Months Discussion Span
  • Latest Post Latest Post by nepeanmedia

Recommended Answers

All 4 Replies

Member Avatar for w_3rabi

you can use a php file in the url instead of the real pdf name.
this file should check the owner of the file then
prints the contents of the file (echo)
with the apropriate

header("content-type:");
Member Avatar for vinnyroundfoot

Thanks for your feed-back. I have followed your idea and after some search on google, I did what is following :

1. create a document directory on the server
2. inside this document directory, add an .htaccess file with these settings :

order deny,allow
allow from 127.0.0.1
deny from all

These settings should disable access to the directory except for the localhost. Thus PHP should only have access.

3. put a test.pdf file inside the document directory
4. create the following php file to access test.pdf

<?php
  $file = "test/test.pdf";
  header('Content-type: application/pdf');
  header("Content-Disposition: inline; filename=".$file);
  /*header("Content-Disposition: attachment; filename=".$file);*/
  header('Last-Modified: '.gmdate('D, d M Y H:i:s') . ' GMT');
  header('Cache-Control: no-store, no-cache, must-revalidate');
  header('Cache-Control: pre-check=0, post-check=0, max-age=0');
  header('Pragma: anytextexeptno-cache', true);
  header('Cache-control: private');
  header('Expires: 0');
  readfile($file); 
?>

The code displays test.pdf inside your browser. If you want to "download" this file, use this line header("Content-Disposition: attachment; filename=".$file); instead of header("Content-Disposition: inline; filename=".$file); Now I still have to create some authenfication using php but I think that the concept is good.
Also, It should be useful to enforce the code to only display pdf files and not all kind of files, but It should not be a big deal.

hope it can help (even it is not perfect)

Member Avatar for vinnyroundfoot

I made a small mistake inside the php code.

Please read : $file = "document/test.pdf"; instead of $file = "test/test.pdf"; sorry

Member Avatar for nepeanmedia

you can use a php file in the url instead of the real pdf name.
this file should check the owner of the file then
prints the contents of the file (echo)
with the apropriate

header("content-type:");

I believe this is what I am looing for and it seems to be the way the moodle restricts unuathorised uploads - could you pinty me to a tutorial that develops this futher ?

cheers

paul

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.