Hi Everyone,

I will soon develop a web application (normally with PHP (cakePHP)) which should allow the users to view their related PDF files. Obviously, I dont' not want that users are able to view other user's PDF files (using for example URL rewriting). I'm looking for a solution for that issue.

I know that a can restrict access to directories (and thus files) using .htAccess but in this case, how can I use the login/password used by the user to log into the application ?

Can someone give me a solution or give me some guideline ?

Thanks

VinnyRoundFoot

you can use a php file in the url instead of the real pdf name.
this file should check the owner of the file then
prints the contents of the file (echo)
with the apropriate

header("content-type:");

Thanks for your feed-back. I have followed your idea and after some search on google, I did what is following :

1. create a document directory on the server
2. inside this document directory, add an .htaccess file with these settings :

order deny,allow
allow from 127.0.0.1
deny from all

These settings should disable access to the directory except for the localhost. Thus PHP should only have access.

3. put a test.pdf file inside the document directory
4. create the following php file to access test.pdf

<?php
  $file = "test/test.pdf";
  header('Content-type: application/pdf');
  header("Content-Disposition: inline; filename=".$file);
  /*header("Content-Disposition: attachment; filename=".$file);*/
  header('Last-Modified: '.gmdate('D, d M Y H:i:s') . ' GMT');
  header('Cache-Control: no-store, no-cache, must-revalidate');
  header('Cache-Control: pre-check=0, post-check=0, max-age=0');
  header('Pragma: anytextexeptno-cache', true);
  header('Cache-control: private');
  header('Expires: 0');
  readfile($file); 
?>

The code displays test.pdf inside your browser. If you want to "download" this file, use this line header("Content-Disposition: attachment; filename=".$file); instead of header("Content-Disposition: inline; filename=".$file); Now I still have to create some authenfication using php but I think that the concept is good.
Also, It should be useful to enforce the code to only display pdf files and not all kind of files, but It should not be a big deal.

hope it can help (even it is not perfect)

I made a small mistake inside the php code.

Please read : $file = "document/test.pdf"; instead of $file = "test/test.pdf"; sorry

you can use a php file in the url instead of the real pdf name.
this file should check the owner of the file then
prints the contents of the file (echo)
with the apropriate

header("content-type:");

I believe this is what I am looing for and it seems to be the way the moodle restricts unuathorised uploads - could you pinty me to a tutorial that develops this futher ?

cheers

paul

This article has been dead for over six months. Start a new discussion instead.