3

I`m looking for some solution which will make my directory with pictures secured. In my page only Administrator have permission to upload the pictures. User have opportunity only to view a picture for products. I want to make directory more secured. I want to make it difficult to download all pictures from some kind of scripts.

For now I tried with .htpaccess and .htpasswd it work fine but when User trying to see the product page(where are available pictures form secured folder) htpaccess is requiring a username and password.

Is it possible to enter username and password to this directory from server side when user is watching the product page. And in case that he open a link of the picture in new window then user name and password is required?

Do you know some other solutions?

Cheers

Kosmonaft
  • 1,286
  • 2
  • 17
  • 30

2 Answers2

5

Don't store the images in your web folder where everyone can access them. Instead, store them outside of the web path (for example in app/data or so) and use a symfony controller to deliver them. This way you can use the symfony security component.

Pierre
  • 874
  • 6
  • 8
  • The problem is that if I store the in app/data then I can`t see them in Product preview :( When I click- Open image in new tab I see "Access forbidden!". Any idea how to fix this? in app directory i have .httaccess and inside is "deny all" – Kosmonaft Feb 02 '14 at 07:51
  • So you want your images to be **available to public** through product preview but **not be available to public**? Seems kinda contradicting to me. As for the answer, @Pierre is right, you should use controller and Symfony2 access control to set up access rules. – Igor Pantović Feb 02 '14 at 09:23
  • When you store your images outside the webfolder, the webserver can't access them directly anymore. Instead, Symfony reads them from there (because it is not bound to those access restrictions) and delivers the content to the user. Add a route that contains the filename as parameter, and deliver the content of the image via readfile(). You can find more info about this here: http://stackoverflow.com/questions/4286677/show-image-using-file-get-contents – Pierre Feb 02 '14 at 10:23
  • I provided almost the same answer **[to this question](http://stackoverflow.com/a/20396727/1832745)** :) – Nicolai Fröhlich Feb 02 '14 at 16:51
  • Thank you for all of this information :) It will be useful. btw I add Order allow,deny Allow from all in .htaccess and now i can preview the images. Unfortunately Administrator can`t upload a new file in this directory. I will look at this now: http://symfony.com/doc/current/components/http_foundation/introduction.html#serving-files – Kosmonaft Feb 02 '14 at 19:15
2

In addition to good answer by @Pierre, you can use a filesystem abstraction layer. I'd recommend using Gaufrette. To integrate it with Symfony, you could use KnpGaufretteBundle.

It will give you way more flexibility as

  • using external filesystems (ex. Amazon S3, FTP, sFTP)
  • use Symfony Security component or ACL.

Everything depends on your need and your approach in the project. However, if you need some flexibility, I'd recommend try it out.

Andrzej Ośmiałowski
  • 1,464
  • 12
  • 21