1

I have the next in security.yml file:

access_control:

- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/forum/, role: ROLE_USER }
- { path: /usuarios/, role: ROLE_NO_ACCESS }

but if I try to access a file inside /public/img/usuarios/otherDirectory/ putting into the navigation bar, the image is shown in the browser.

Why isn't it denying the access?

Update

I've tried to add this to the Apache site configuration (in my localhost):

    <Directory /home/me/MyServer/itransformer-2.0/web/public/img/usuarios>
                    AllowOverride none
                    Options -Indexes
                    Order allow,deny
                    Deny from all
    </Directory>

but I can still access the images directly. Maybe I'm doing something wrong...

Manolo
  • 24,020
  • 20
  • 85
  • 130
  • I'm not familiarired with this .yml structure but it seems to be that you are only blocking the `/usuarios/` path try to use a wildcard like `/usuarios/*` or `*/usuarios/*` – Jorge Campos Oct 28 '13 at 23:20
  • What are your rewrite rules? Typically, if file exist, it is served directly by web server, not processed by PHP. – dev-null-dweller Oct 28 '13 at 23:22
  • @JorgeCampos: sorry but you're wrong, the syntax is correct (see the [documentation](http://symfony.com/doc/current/book/security.html#securing-specific-url-patterns)). – A.L Oct 28 '13 at 23:23
  • @ManoloSalsas: The image is not served by a controller or a Symfony2 URL (used by the router), so you don't can't control the access to the image. I can't find any tutorial to explain if it's possible to serve the image by a controller. – A.L Oct 28 '13 at 23:25
  • @dev-null-dweller - That's the question. Is there any way to deny access to it? – Manolo Oct 28 '13 at 23:25
  • @n.1 - Well, I see it's not so easy as I thought. Thanks for your time. – Manolo Oct 28 '13 at 23:28
  • @ManoloSalsas yes, but you have to do it on web server configuration first (like `.htaccess` in apache). – dev-null-dweller Oct 28 '13 at 23:29
  • @dev-null-dweller - Well, I've tried without success. I've updated my question. – Manolo Oct 28 '13 at 23:57
  • _but I can still access the images directly_ Browsers must have access to the images in order to show them. You can filter by `HTTP_REFERER` (see [this example](http://blog.servergrove.com/2011/05/04/how-to-stop-people-from-hotlinking-your-image-files/)) but users will have to come to your website in order to view your images and accessing the file directly from the URL will prompt an error. – A.L Oct 29 '13 at 09:39
  • 1
    @n.1 - I like your option, but tried without success: http://stackoverflow.com/questions/19656103/prevent-hotlinking-image-files/19656276?noredirect=1#19656276 – Manolo Oct 29 '13 at 11:05
  • 1
    @n.1 - Done. Look at the link above. – Manolo Oct 29 '13 at 11:18

1 Answers1

0

Your file is in the public folder, so it is public, in other words, this is not the right place to store a private file.

According to this post (or this one on Stack Overflow), you can serve a file from a controller. So try to use this controller behind a protected URL.

To serve multiple files, you'll have to store the paths of your files in your database. For example:

+----+------------+
| id |    path    |
+----+------------+
|  1 | image.jpg  |
|  2 | image2.jpg |
+----+------------+

The management of file is explained in the Symfony2 cookbook.

Community
  • 1
  • 1
A.L
  • 10,259
  • 10
  • 67
  • 98
  • 1
    I've asked about avoiding direct access to the image, but I'm working with all what you say in the answer. The question is just to avoiding direct access when knowing the path (theoretically you won't know the paths except yours). Thank you anyway. – Manolo Oct 28 '13 at 23:43
  • If nobody know the path, why do you try to avoid direct access? Can the path of a file be guessed by a visitor? For example by trying all the combinations of letters in a short time? – A.L Oct 29 '13 at 00:02
  • 1
    Because the path's and file's names are based on the session id. That's my fear. – Manolo Oct 29 '13 at 00:06
  • Why use the session id? You can use a completely random hash as an identifier. – A.L Oct 29 '13 at 09:36
  • Because I'm removing automatically the files every 30 minutes with a crontab job, so I have to know the current users and the directories where they safe their files to NOT removing them. – Manolo Oct 29 '13 at 09:58