Can we Stop Non-logged in users access to files Folder?

A place for users and developers of the Xataface to discuss and receive support.

Can we Stop Non-logged in users access to files Folder?

Postby muzafar » Tue Dec 27, 2011 1:05 am

Greetings,

I have an application in which user can submit their applications to the directory through upload. I want to make that files which uploaded in the files directory to be only accessible to that specific user who is logged in, and the file should not be downloadable if user try to download it from link. i.e

http://example.com/abc/tables/files/Gra ... tion-1.doc

i.e the user should not be able to download the above file directly from the url, but to download this file, he should first logged in and then he will be available to download his file which he has uploaded.

Is it possible?

kindly lead me.

your help will be greatly appreciated.

Thanks.
muzafar
 
Posts: 44
Joined: Mon Nov 28, 2011 9:25 pm

Re: Can we Stop Non-logged in users access to files Folder?

Postby kedikatt » Tue Dec 27, 2011 2:54 am

Why? I am new to Xataface forums, but I can't see a good reason for this. If the download costs extra money to maintain the site because of bandwidth costs, it still would not be offset by a downloader being registered. If it is some concept of contribution to the forum through activity, then i should not download because all I have done is ask questions, not answered any.

Why do you want to limit downloads to registered users?
kedikatt
 
Posts: 18
Joined: Sun Dec 25, 2011 6:25 am

Re: Can we Stop Non-logged in users access to files Folder?

Postby muzafar » Tue Dec 27, 2011 3:56 am

I am talking about my own application, i want to forbid user when they tried to download files from directory through link. i don't want user reach to the files without logged in.
muzafar
 
Posts: 44
Joined: Mon Nov 28, 2011 9:25 pm

Re: Can we Stop Non-logged in users access to files Folder?

Postby ADobkin » Tue Dec 27, 2011 6:21 am

There are two solutions to this problem. The first one is to use BLOB data within the database. That is arguably the most secure method, but it may have performance or other design implications for your application. That method is described here:

http://xataface.com/documentation/how-t ... le-uploads

The second option is relatively new, and it is an excellent way to handle the files stored as container fields. It is described here:

http://xataface.com/wiki/secure
ADobkin
 
Posts: 195
Joined: Mon Oct 22, 2007 7:31 pm
Location: Atlanta, GA, USA

Re: Can we Stop Non-logged in users access to files Folder?

Postby shannah » Tue Dec 27, 2011 11:29 am

I have just appended a note on the "secure" wiki page that you also need to disallow access to the uploads directory using an .htaccess file if using this approach.
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Re: Can we Stop Non-logged in users access to files Folder?

Postby muzafar » Wed Dec 28, 2011 5:15 am

Thanks Shannah and Adobkin for your replies.

I have used the method of .htaccess file and write deny from all and put the file in upload directory, it's working successfully in my localhost, but when I upload the same htaccess file to my server directory, it doesn't work and the file is download from absolute url. i am using it without putting secure=1 for uploading file.

I have also changed the httpd.conf file and Allowoverride ALL. but still it's not functional on my server.

kindly lead me, your help will be greatly appreciated.

Thanks,
muzafar
 
Posts: 44
Joined: Mon Nov 28, 2011 9:25 pm

Re: Can we Stop Non-logged in users access to files Folder?

Postby ADobkin » Wed Dec 28, 2011 6:12 am

Apache is very particular about paths and other configuration directives. It is possible that your AllowOverride is not applying to the directory where the .htaccess file is located. This page gives some other possible issues to check:

http://smartwebdeveloper.com/apache/htaccess-problems

You might find something in your server logs indicating why the .htaccess file is not working.

Personally, I prefer to use both an .htaccess file and a configuration directive in the Apache conf file to deny access, since neither is a guarantee by itself. The .htaccess file could be disallowed as you are experiencing now, and the configuration directive in the conf file only works as long as the exact path stays the same. If the directory is renamed or moved, then your files could become exposed in the future.

The other issue (after you get past this one) is that I think you must use the secure=1 directive. Otherwise, Xataface won't convert the links to use database queries, so there will be no way to access the files once they are blocked by the .htaccess file above.
ADobkin
 
Posts: 195
Joined: Mon Oct 22, 2007 7:31 pm
Location: Atlanta, GA, USA


Return to Xataface Users

Who is online

Users browsing this forum: No registered users and 22 guests

cron
Powered by Dataface
© 2005-2007 Steve Hannah All rights reserved