Access control to uploaded files (in the filesystem)

[ferrante]

I have a database which allows file uploading and stores them in the filesystem. I protected it by password, but anyone can peek at the files by writing the url in the browser. There is any simple way to disallow this?

If not, I suggest it as a future feature for Dataface (a very nice application, by the way).

[shannah]

Yes.. the current version doesn't do much (or anything) to apply permissions to uploaded files. I did this for performance reasons because most of my apps just had uploaded images that I wanted to have fast access time. Clearly this is a needed feature though.

Using .htaccess files it is possible to turn off the listing of the files in directories: http://blog.dreamhosters.com/kbase/index.cgi?area=2517
This will at least make it so people can't poke around too much.. but if they know the url to a particular file, they can still access it.

It is possible also to use PHP to preprocess all files in a particular folder. This would allow you to provide a test to see if the user has access to a file in the upload folder.... I don't have an example at my fingertips for this one though.. If you would like an example, let me know, and I can probably dig one up.

Best regards

Steve