symfony2 .htaccess web folder block access to some sub folder

Question

I have following sub folders in web folder.

• /themes/shop/1/html
• /themes/shop/1/asset
• /themes/shop/2/html
• /themes/shop/2/asset

I want to block access to any html folder inside themes folder and allow access to all the asset folders only.

how can I achieve this with .htaccess or by symfony2 access control?

Answer 1

You can do this with .htaccess by providing users an HTTP 403 - Forbidden error if they try to access them:

RewriteRule ^/themes/shop/(.*)/html(.*) - [L,R=403]

Or, if you prefer a 404 - Not Found:

RewriteRule ^/themes/shop/(.*)/html(.*) - [L,R=404]

Since you mentioned you're using Symfony, you should also take care to place the rule in the right place so that other rewrite rules don't take over:

<IfModule mod_rewrite.c>
    RewriteEngine On

    #Put them first, otherwise they might get routed elsewhere
    RewriteRule ^/themes/shop/(.*)/html(.*) - [L,R=403]

    #...

</IfModule>

As per the comments and a gist linked by @basit : you can add additional checks to ensure that any requests made to resources: exist, are actually an asset file, and only contained in the assets folder.

# contents of the gist linked above - in case the link ever breaks    

# If the requested filename exists, simply serve it.
# We only want to let Apache serve files and not directories.
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_URI} !^/themes/stores/(.*)
RewriteCond %{REQUEST_URI} !^/themes/shop/(.*)
RewriteRule .? - [L]

# allow stores asset folder only
RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g|png|js|css|svg|svgz|eot|otf|woff|woff2|ttf|swf|php|ico|txt|pdf|xml)$
RewriteCond %{REQUEST_URI} ^/themes/stores/(.*)/asset/.*
RewriteRule .? - [L]

# allow shop asset folder only
RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g|png|js|css|svg|svgz|eot|otf|woff|woff2|ttf|swf|php|ico|txt|pdf|xml)$
RewriteCond %{REQUEST_URI} ^/themes/shop/(.*)/asset/.*
RewriteRule .? - [L]