Redirect to a file outside of the domain Root

Question

I want to give a file to a person based on the users rank so I need to hide the files in a directory which is hidden.

I'm using Plesk and my structure looks like this:

api (reachable from https://api.pexlab.net)
cloud (reachable from https://cloud.pexlab.net)
default (reachable from https://pexlab.net)
error_docs
hidden (not reachable)

My PHP script is located in:

api/hub/Test.php (reachable from https://api.pexlab.net/hub/Test.php)

I have tried this:

# In Test.php
downloadFile("../../hidden/hub/download/assets/user/main.fxml");

# Function:
function downloadFile($file) {
   if(file_exists($file)) {
       header('Content-Description: File Transfer');
       header('Content-Type: application/octet-stream');
       header('Content-Disposition: attachment; filename='.basename($file));
       header('Content-Transfer-Encoding: binary');
       header('Expires: 0');
       header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
       header('Pragma: public');
       header('Content-Length: ' . filesize($file));
       ob_clean();
       flush();
       readfile($file);
       exit;
   }
}

This method works but I want to redirect to this file (show it) and NOT download it. So I have tried using this:

header("Location: ../../hidden/hub/download/assets/user/main.fxml");

But this tried to redirect to https://api.pexlab.net/hidden/hub/download/assets/user/main.fxml which is invalid.

Answer 1

The only difference between "viewing" and "downloading" a file is what the browser does with the data. Ultimately, that's in the hands of the user, but the server can indicate what it would like to happen.

I suspect you have copied these lines without really understanding what they do:

   header('Content-Description: File Transfer');
   header('Content-Type: application/octet-stream');
   header('Content-Disposition: attachment; filename='.basename($file));
   header('Content-Transfer-Encoding: binary');
   header('Expires: 0');
   header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
   header('Pragma: public');
   header('Content-Length: ' . filesize($file));

These are all instructions to the browser telling it what to do with the data you send.

• The Content-Disposition header is used to tell the browser "rather than trying to display this content straight away, suggest the user saves it in a file, with this name". To use the browser's default behaviour, you would simply leave off this header, or give it the value inline .
• The Content-Type header tells the browser what type of file this is. The value application/octet-stream means "just a bunch of bytes, don't try to interpret them in any way". Obviously, that would be no good for viewing a file in the browser, so you should send an appropriate "MIME type", like text/html or image/jpeg , as appropriate for the file you're serving. I'm guessing "FXML" is an XML-based format, so text/xml might be appropriate; or if it's human readable and you just want it displayed without any formatting, use text/plain .

Answer 2

Ok, I did it myself now. It was very simple and little code:

$line = file('../../hidden/hub/download/assets/user/main.fxml');

foreach ($line as $num => $output) {
  echo $output;
}