0

We're running CakePHP 2.3...

We need to control access to PDF files. For example, we need users to be able to view/download their own PDF but not others. Admins can view them all. Etc.

The first question is where these files should live within CakePHP's directory structure.

We experimented with /webroot/files/... but it appears that these are publically accessible (ie, anyone can navigate directly to any file if they know the full path: www.example.com/files/private.pdf

Once the files are stored in a secure location, the second question is what is the best way to handle authorization so that the proper users can access the proper files.

It feels like CakePHP has some built in support for this, but we can't find documentation for it.

emersonthis
  • 32,822
  • 59
  • 210
  • 375

2 Answers2

2

Don't put files you don't want public available in the webroot. No .htaccess modification needed then.

To send the files to the client through php there is the media view or the request object. What you'll use depends on your CakePHP version.

Whatever auth adapter you're using will apply to the FilesController::download() method or whatever your method and controller is named.

floriank
  • 25,546
  • 9
  • 42
  • 66
1

You'll need to add an .htaccess file in the folder wherever you keep your pdfs to deny access to them through normal means. deny direct access to a folder and file by htaccess It doesn't particularly matter where you put your pdfs, though I recommend somewhere in your webroot folder, and in their own folder.

Then, you'll need to add a function in one of your controllers that will display the pdf, rather than just linking to it. In CakePHP < 2.3, you can do that with the mediaview class. http://book.cakephp.org/2.0/en/views/media-view.html In newer versions of cakePHP, it's by sending files. http://book.cakephp.org/2.0/en/controllers/request-response.html#cake-response-file

Community
  • 1
  • 1
Kai
  • 3,803
  • 1
  • 16
  • 33
  • Thanks. Can you speak a little about how Cake's sending of files interacts with the .htaccess rule? Do we need a specific exception that allows (Cake)PHP to access the directory with the PDFs? – emersonthis Sep 24 '13 at 16:22
  • .htaccess should block people from viewing the pdfs directly on the internet, but CakePHP will be accessing the files without going through the internet (by navigating the file system), so .htaccess rules will not apply to it. Users will then go to the url defined by the controller and action where you decide to put your view pdf function, which will be a completely separate location from where the pdfs are actually located. – Kai Sep 24 '13 at 16:32
  • Ahh. I see. The controller references the path rather than the URL to the files (which is what .htaccess cares about). That makes sense. But if this is the case, why put it in the webroot? – emersonthis Sep 24 '13 at 16:37
  • It's not necessary to, I just like keeping assets in one place. But it is true if you choose to put it somewhere else entirely, you can avoid needing the .htaccess file. – Kai Sep 24 '13 at 17:05