Question

Here is the situation: I have an Apache server , which hosting a php program, the program allow user to login and the user can upload files, and share their upload files to others, so, I have a folder called "attachment" in the htdoc folders, which is store the user s attachement. But I don t want people get access to this folder directly, I only let some users(base on their user right), to get the file they want, others, can get access to that file...

例如,一个上载文件——a,与B、C. 用户B共享,C可以通过链接传送链接,但用户D甚至可以链接,但是他/她仍然可以下载,即使他/她正在伐木。我如何检查? 谢谢。

Answer 1

一种解决办法是使双倍私人化(即:将其从htdocs上移出),并使用一个网关文字。与此类似:

$fullpath =  /path/to/your/files/ .basename($_GET[ filename ]));

// verify that the user is valid here
// verify that file exists here

// get the mime type
$finfo = finfo_open();
$mime = finfo_file($finfo, $fullpath, FILEINFO_MIME_TYPE);

// send it to the client
header( Content-Disposition: attachment; filename= .basename($fullpath));
header( Content-Type:  .$mime);
readfile($fullpath);

因此,你与它一样:

Answer 2

不要把档案保存在你的网络目录之外,然后有检查访问的网址,如果能够正确查阅,则向人们提供档案。

        $file =  file_path ;
        header("Content-Type: image/jpeg");
        header("Content-Length: " . filesize($file));
        header("Content-Disposition: attachment; filename="filename.jpg"");
        header( Cache-Control: private );
        header( Pragma: private );
        $fp = fopen($file,"rb");
        fpassthru($fp);
        fclose($fp);
        exit();

Answer 3

Three options:

Put the file in a blob, and track the permissions in the application.
Slightly less secure, but easier to implement: give no one access to the actual files, then generate a symbolic link using a uuid, but only allow it to persist for the duration of the download.
Give each user their own directory that only they have access to (htaccess) and create symbolic links to each of the files they should have access to in that directory.

第1号是最清洁的,但另2号是可行的解决办法。

友情链接