I'm stuck on the best way to handle this. In a nutshell, I'm creating a website that sets up forums between one or several parties. Each participant of a forum can upload file attachments to any message they post.
What I want is a way to protect those uploads from being downloaded by non-authorized parties. The way it works now, I have a script that takes the forumID and the messageID, checks to make sure the user has access to the forum, and if so, returns the file to them for download. The problem however, is that if someone knows the file path "ex - user_data/forums/2400/filename.ext", they can grab it from there.
I don't want to have to make the user type in their username/password again in order to access the file, as is the case if I used .htaccess and .htpasswd....at least that I know of.
Anyone have suggestions?
EDIT: I guess I should caveat that by saying...a way OTHER than placing documents above the web root :)