Laravel storage accessibility confusion - laravel

I'm having trouble figuring out how Laravel's storage works since there are two public folders and I am confused which people talk about when I read posts about it.
Just to put a context, I have an app where I want to store images just for logged in users. I get the fact that public folder allows everybody too see images, I don't want that. There are two folders named public though which are :
I'm quite sure public is just for css/js/index.php etc. and storage/app/public is the folder where stored files are publicly accessible. I am, however, not a 100% sure.
If I want to have private images for logged in users, is it correct having created the clients folder in the storage/app/ folder?
Thanks for your help.

Long story short, Laravel aims for both of them to be the same. And it is explained at great extend in the doc: https://laravel.com/docs/7.x/filesystem#the-public-disk
Even is the storage folder is indeed protected, when you run the command php artisan storage:link you will create a symbolic link between public/storage and storage/app/public.
All the items available in storage/app/public will then be available in public/storage and accessible from the outside.
If you want to prevent public access, then you need to use the local driver (https://laravel.com/docs/7.x/filesystem#the-local-driver) and it will be stored securely within your application. For example:
Storage::disk('local')->put('FOLDERNAME/file.txt', 'Contents');
won't be accessible from the outside.

Related

Symbolic link from public/storage to storage/app/public still makes the files in the storage directory accessible from the web

What I have done
When I researched about storing files in laravel. I came across two approaches.
Storing the assets directly inside the public folder.
Creating a symbolic link from public/storage to
storage/app/public
When I researched about which one two use, I came across this stack overflow link. 👉 Difference between storing files in public directory and in storage in Laravel 5.4
In this link in the top answer it was mentioned,
Public folder means files will be publicly accessible.
For example an image stored in
public/images/my-image.jpegcan be viewed by anyone by
going to mysite.com/images/my-image.jpeg
However, files stored in storage directory are only available to your
app.
👆 Since, including in the mentioned stack overflow post above, and many other posts I have read on different platforms implied the fact that files in the public directory are web accessible whereas the files inside the storage directory are not, I tried to test this by storing files both in the public directory and in the storage directory one at a time, and then checking if the files are accessible through the web url.
My attempts went as below,
First I added the path images/ in the public
directory and placed some images (Let us say
test1.jpg, test2.jpg and
test3.jpg) into that directory. Then inside my blade
template for the src attribute of my
img tags I referred to them as
URL('images/test1.jpg') etc... and they were indeed
rendered on the webpage. Then I also tried to access the images from
the url by going to
http://localhost:8000/images/test.jpg. The result was
as expected, The images were rendered on the web page + they were
accessible from the url
Then I ran the command php artisan storage:link
on the console, which according to the articles I read, should
create a symbolic link between the directories
public/storage and storage/app/public.
As soon as I ran the command, I got a new folder called
storage created in the public
directory. Then I moved all my images to that
public/storage directory. Then set the
src attribute my img tags as
URL('storage/test1.img') etc... the images were
rendered on the web page. Then I tried to check if the images are
still accessible from the url. for that on the url bar I went to
http://localhost:8000/storage/test1.jpg. The
images were STILL ACCESSIBLE from the url.
Problem
However, according to the answer I have mentioned and some other similar links, I expected those images to not be accessible from the url in the 2) above since the images should now be actually in the storage/app/public which we have created a symbolic link to from public/storage. (Files inside the storage directory should not be publicly accessible right?)
This led me to two questions,
Why are the images are still being accessible from the url even after I created a symbolic link from public/storage to storage/app/public and stored the images in the public/storage directory?
As happened with my case, if the files in the
public/storage are still accessible through the web
url, what are the advantages of actually creating the symbolic link?
It does not seem to offer any more security since the files are
still accessible from the url.
It would be really helpful if anyone can help me understand the answers to the above two questions I have. Thanks.
What's happening to you is the expected behavior.
The purpose of Laravel storage is to interact with your local files and make use of Laravel helpers, besides being easily shared across deployments.
Saying that I would avoid moving your files directly to your public folder.
On the other hand, by adding files to your storage/app/public folder you are assuming that those files will be publicly accessible, but they won't be until you create a symbolic link which is a special kind of file that points to another file.
When you create a symbolic link you are saying "hey, if the user reaches http://localhost:8000/storage/ just show the files stored in storage/app/public"
So if you want private files (and you have created a symbolic link) just don't upload them to your storage/app/public folder, instead of that put your private files out from the public folder such as storage/app/myfiles
He are your answers:
1 - Why are the images are still being accessible from the url even
after I created a symbolic link from public/storage to
storage/app/public and stored the images in the public/storage
directory?
Because in fact, you have created a symbolic link for that purpose, making the storage/app/public publicly accessible.
2 - As happened with my case, if the files in the public/storage are
still accessible through the web url, what are the advantages of
actually creating the symbolic link? It does not seem to offer any
more security since the files are still accessible from the url.
As said, the advantage is to make use of Laravel filesystem. The public link doesn't determine the privacy of your files
You might have many different types of files in one project. Some are accessible to the public, like images embedded in a website (as your example shows), and some are private files, let's say, for example, a pdf of a private report.
Any file that is accessible to the public can be stored in either storage/public or directly in public. As you have observed, no difference there since the former would have a symlink established.
However, private files cannot be stored storage/public (if symlink is established) and especially not directly in public folder for obvious reasons.
Those files can go in storage/app/NOT_PUBLIC_REPO. These files should be made accessible via protected routes (along with signed routes if you want extra protection).

directory for public and private file in laravel

I want to create a website for selling quality photos using Laravel framework.
I want to show everyone the photo mockup on the home screen.
But the original file(zip) can be downloaded after purchase.
Is it best to place the mockup file in the Storage/app/public path and the zip file in the Storage/app/files path?
If I do, I can access the mockup file using php artisan storage:linkand display it on the home screen. But I have no idea how to download the zip file.
If this method of storing files and mockups is correct, secure and standard, please tell me how to access the zip file.
But if this is the wrong way, tell me the right place to put the files and mockups
If it's public to everyone then there is no problem to make it public, so If you were to use your local driver and would want to make files accessible in your storage folder then you would run an artisan command like below
php artisan storage:link
This will ensure that files are accessible publicly as example.com/public/storage/whateverfile.
However, for the people who have purchased the image, you need to use authentication or authorization to handle it, eg. if you want the files to be only accessible to authenticated user then maybe you can put the files in storage/myViewFile which will make sure that files in the folder aren't publicly accessible. Then using a controller with an auth middleware or route with middleware you can make files accessible.
Route::get('/storage/files/{file}', 'FilesController#show')->middleware('auth');
and for downloading files you can do it in the show method using laravel download response
return response()->download($pathToFile);
//or
return response()->download($pathToFile, $name, $headers);
//or
return response()->download($pathToFile)->deleteFileAfterSend();

What should be the better way to store images or files to folder in laravel application

I am doing a project using Laravel. Now, I have to store customers, users etc images both in the database and application folder. There are two ways to store images or files in laravel application.
Inside public folder I can store.
Another one is, inside storage/app/public
From these two ways, what should be better to do this. Would someone suggest me please?
Thanks in advance.
There's not an enormous difference, but in general, it's better to put things in storage/app/public.
This allows you to give Laravel write permissions to the storage folder, while leaving its permissions on public as read-only. This is a bit more secure.
Generally, if your files need to be publicly available you it is recommended you use the laravel "Public Disk" which exposes yoursite.com/storage/ as a symbolic link to your_app/storage/app/public.
You can activate the public disk by running
php artisan storage:link
If files uploaded do not need to be directly accessed via the web, it is recommended that you use the "Local Driver" - these files are kept securely inside your_app/storage/app - one level up from the public folder and are not directly accessible by a web browser.
You are of course free to create any file structure in these directories as you need for your customers etc.
The Storage class helper is extremely useful.

Is there a proper path for storing images (Theme and Uploads) in Laravel?

I'm relatively new to Laravel - building a basic website with it - and I'm unclear as to where I'm suppose to store images.
My instinct said /resources/images but that path doesn't exist like /js and /css do.
I read that /storage/app/public/images could be, but the answers I'm finding are inconclusive.
I understand the local may differ if they were uploaded through a GUI by an end-user vs by a developer who is creating a theme / template.
I'd like a citation to official documentation assuming one exists. Thank you!
I unintentionally discovered this Laravel official documentation which explains the purpose of each directory. In that it states the following:
This (/public) directory also houses your assets such as images, JavaScript, and CSS.
Based on the next quote it's implied the above is referring to images uploaded by the developer for the front end. Whereas the following explicitely states it's for user-generated files:
The /storage/app/public directory may be used to store user-generated files, such as profile avatars, that should be publicly accessible.
Earlier in the documentation is makes a subtle but, presumably, essential note:
By default, the public disk uses the local driver and stores these files in storage/app/public. To make them accessible from the web, you should create a symbolic link from public/storage to storage/app/public.
#techcyclist rightly referenced more official documentation about how to reference these in their respective locations. Such as files in the /storage this way, and the public directory this way. It also mentions advanced options for storage such as Amazon S3 under "Specifying a Disk".
Usually images are stored in public folder and you can easily access then with /img/somepic.jpg from anywhere in your project. Also you can store them in storage/images but then you need to use function for relative path to storage.
image does not exist in resources folder it exists in public folder
try like this, it will pick public folder default.
{{url('images/image_name')}}

Storage laravel. Is this secure to keep private image?

Hi i'm working on sell picture project. I want to secure image in public folder . I follow this way How to protect image from public view in Laravel 5?
Everything work fine. I just want to make sure in storage Path thier is no way to access with URL right? I put my image into storage/images not storage/app/public
If i storage link it will be effect to my private image or not thanks
In Laravel the root of the webserver is the public directory and the entrypoint is public/index.php.
This means that you can access via web server everything under public directory (like javascript/css files and image assets).
The storage directory is one level up and there is no way to access it.
In the discussion you mention the url http://www.somedomainname.net/images/users/userImage.jpg refers to the file userImage.jpg under /your/document/root/laravel/app/public/images/users by default, so the storage directory is not even read.
Laravel, though, will let you link the storage/app/public directory inside the public/storage directory, using the command php artisan storage:link, but that's it.

Resources