hi guys im pretty new in laravel 4.2 i have a project that stores file in the server and what i did based from the opinion of other people, when the user saves a file it goes to app/storage/uploads my problem is when i know the url to the file, it still have access to the file. for example it is a pdf file, it opens in the browser or if it is doc, xls, xlsx etc it triggers a download what i'm tying to do is when the user tries to access that url, it would go to a certain view informing them that the folder is restricted so far i have this on my routes
Route::get(storage_path().'uploads/{all?}' , 'sample#restrict');
then in my controller
public function restrict()
{
dd("WHOOOPS!"); //for trial purposes
}
any ideas what im doing wrong? thanks in advance
With normal configuration web server has access only to a public directory.
If you set public directory as root for a virtual host, noone will be able to access app or storage directories which are outside public.
Related
I am storing a file on the public directory. If my file is a 100 character random string, could someone potentially find this file? Is there any way to protect the public directory for Laravel?
Do not attempt to do this. Security by obscurity is not a valid approach.
A few flaws to this approach:
If I knew the file existed, but not its name: I could try every combination to find it.
The web server may have an unknown flaw that allows directories to be listed?
If HTTPS is not utilized, anyone monitoring requests could see the file.
The best way would be to create a view that serves the file, stored outside the public directory(/storage), and secure the view with a single use token or login.
I am using the Storage::url() function for generating download links for files inside the storage directory, i also linked the storage directory to the public directory and everything is working fine.
However now any person can download the files without needing any authentication. What is the proper way to secure all routes starting with /storage/..... without having to re-write the download logic inside my controller?
you must add the download URL as a route on your routes.php file :
Route::get('downloads/{file}','MyController#download')->where('file', '^[^/]+$')->middleware('auth');
of course, don't forget to check if the file exists, after that you can use
$reponse()->download()
to return a download response. the method takes 3 parameters : file path, file name and HTTP response headers.
for more details, check this :
https://laravel.com/docs/5.7/responses#file-downloads
I'm not a pro with server management, I mainly do web design on Joomla.
Our IT Manager recently left and I was given access to everything since no-one else in our company knows web.
We have a main site. In this example I'll name the site as cookies.com for example sake.
www.cookies.com is the main site. The domain is cookies.com only. We have 3 server accounts for this.
123reg - to buy the domain and renew
heartinterner - to host the website
1and1 - this is where it is redirected (or something), well all the files are found in virtual servers here.
When I go to the virtual servers, there are a couple of directories, and eventually I can find a folder called "var" which leads me to another directory. I go to "www" and I find so many site folders there, including cookies.com and dev.cookies.com and more
My objective was to backup and restore cookies.com to dev.cookies.com so that I can work on it and replace the original cookies.com later on. I use Akeeba Backup for this.
The issue is, as soon as I started making changes to dev.cookies.com, cookies.com also made those changes.
I'm very confused- what's going on here? Is there something written in the files that direct the database or whatever to the same place, for which reason the changes occur together?
Sorry this is very confusing. Please suggest if you can what I can do. I know this might not be much information.
Thank you!
You probably have used the same database for both. Create another database and user for dev.cookies.com and use that database and user to create the new dev site. Check in the configuration.php file that these values should be different.
public $db = 'joomla';
public $password = 'db_password';
public $user = 'root';
These are all database values. Also check these settings
public $log_path = 'C:/xampp/htdocs/joomla/administrator/logs';
public $tmp_path = 'C:/xampp/htdocs/joomla/tmp';
im fairly new to laravel and im currently working on a project that needs to store files in the server. What im doing is store it under public/docs the problem is the files under that directory is accessible all the time given that they know the url to the certain file. for example even if they are logged out if they know this url http://localhost/dummy/public/uploads/docs/2016-06-02-10-52-43-oth-content-inventory-and-planning-spreadsheet.pdf they would be able to access it what im thinking is to do something like this
in my routes i would do something like
Route::any('uploads/docs/' , 'go to some controller to check if user can acces');
is this possible? thanks in advance!
it's called public for a reason...
you should use storage instead (laravel 5) in storage you dont restrict access, actualy the opposite, you grant access to the file .
try this for laravel 4.2 (move the file after upload like this to a storage folder)
Input::file('file')->move(__DIR__.'/storage/',Input::file('file')->getClientOriginalName());
});
Anyway ,the conclusion is that you can't restrict access (you shouldn't even if there is a way) because it's meant to be public ! so you should use storage folder(or whatever its called in laravel 4)
I'm using GroceryCRUD to act as a front end for a database containing news releases. Secretaries can go in and add/edit/delete news releases in the database easily now. Only qualified users are able to access the application root via an .htaccess password. The problem with this is that GroceryCRUD uploads assets such as photos are uploaded to the directory /www/approot/assets/uploads/ which is password protected since /approot/ is protected.
My ideal solution would be to set an upload directory outside of the application root which is where I'm running into trouble. By default this is how GroceryCRUD handles uploads:
$this->grocery_crud->set_field_upload('photo1','assets/uploads/');
I've tried changing it to something like this:
$this->grocery_crud->set_field_upload('photo1','/public/assets/uploads/');
I was hoping this / would make the path start from the document root instead of the application root, but it throws this error:
PHP Fatal error: Uncaught exception 'Exception' with message 'It
seems that the folder "/Users/myusername/www/approot//public/assets/uploads/"
for the field name "photo1" doesn't exists.
This seems to suggest that CI or GroceryCRUD just takes the second argument in set_upload field and just concatenates it onto the end of the site URL that is defined. Is there any way around this that doesn't involve creating a user login system?
Try using relative path.
$this->grocery_crud->set_field_upload('photo1','../assets/uploads/');
.. -> Go up one directory
I ended up implementing a login system outlined in this tutorial:
http://net.tutsplus.com/tutorials/php/easy-authentication-with-codeigniter/
It was quite simple to set up and suits my needs. I found ways to give access to the directory using httpd.conf directives but I feel like this was a more viable solution since I don't have direct access to server configuration files.
Maybe in the future GroceryCRUD will allow placement of uploads outside the application folder.