[英]Prevent direct access to files like an EDM(?)
i have a php web app used by several users.我有一个由多个用户使用的 php 网络应用程序。 They can upload files in a directory : "files" a sub directory is created with the unique name given to the user "foo" and the file is stored, so: mydomain.com/files/foo/thefilename.doc
他们可以在一个目录中上传文件:“files”创建一个子目录,并使用赋予用户“foo”的唯一名称并存储文件,因此:mydomain.com/files/foo/thefilename.doc
It works but to prevent direct access to the file and to prevent others users to access a file they don't belong, i placed a .htaccess file with:它可以工作,但为了防止直接访问该文件并防止其他用户访问他们不属于的文件,我放置了一个 .htaccess 文件:
Order Deny,Allow
Deny from all
It works BUT, in my web app if the user "foo" want to access and display his files, he receive a 403 error.它有效但是,在我的网络应用程序中,如果用户“foo”想要访问和显示他的文件,他会收到 403 错误。
How can i do (like an EDM Electronic Document Management) to store files prevent direct access but give access to the right user?我该怎么做(如 EDM 电子文档管理)来存储文件以防止直接访问但向正确的用户提供访问权限?
Thanks a lot非常感谢
You can do it by getting dynamically with PHP and rendering file-contentens.您可以通过使用 PHP 动态获取并呈现文件内容来实现。
Maybe like this:也许是这样的:
$filename = $_GET['filename'];
// TODO: fill $allowedFiles[];
if (!in_array($filename, $allowedFiles))
exit;
header('Content-Type: text');
header('Content-Disposition: attachment;filename="' . $filename . '"');
header('Cache-Control: max-age=0');
echo file_get_contents($filename);
Of course it's just concept当然只是概念
Why don't use a session?为什么不使用会话?
just add <?php session_start() ?>
at the begin of each page (before <! DOCTYPE>
. And limit the access to some file following the user logged?只需在每个页面的开头添加
<?php session_start() ?>
(在<! DOCTYPE>
之前。并限制对用户登录后的某些文件的访问?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.