3

I've read that files in the public folder are accessible via a web browser in Laravel. When I type in the path to files in my public folder, I don't see the file, unless I defined the path in the routes.

I am making a downloads page so that a user can download encrypted/classified materials via a from.

I do not want the ability for a user to access the files in any other way other than the download form or other controlled methods.

Do I need to create lets say a private folder and store the files their. If I do, will I still have access to the files in the back end?

Or are files in the public folder not accessible unless defined by the routes? If thats right could I just store the files under public?

rich green
  • 1,143
  • 4
  • 13
  • 31

2 Answers2

10

Files under public folder are accessible by anyone, unless your webserver has a policy set to a particular directory.

If you are currently not able to access a file in your public folder is because, maybe, you are not writing the url correctly, ie:

A file in 

/var/www/myapp/public/img/logo.png

Will be accessible via:

http://myapp.com/img/logo.png

Note that the public part of your folder is not present in your URL ONLY IF your webserver is correctly configured and your .htaccess file is in place and able to rewrite your URL.

For sensitive files, what you can do is to store them insite your app folder (or any other folder outside public), where just your application will have access to, something like this can be ok:

/var/www/myapp/app/storage/<create a new folder here>

And then, yes, create a route to read and present your secure files:

Route::get('readfile/{fileName}', ['before' => 'auth', 'use' => 'ReadFileController@read']);

The filter 'before' => 'auth' will assure that one not authenticated will never be able to access a file.

In your controller you could do something like this to check if one can see a file:

class ReadFileController extends Controller {

    public function read($fileName)
    {
        if(Auth::user()->id == 1) // of course this is not a good way, just an example
        {
            return $this->getFile($fileName);
        }
        else
        {
            return Response::make(null, 403); // forbidden
        }
    }

    private function getFile($fileName)
    {
        ...
    }

}
Antonio Carlos Ribeiro
  • 86,191
  • 22
  • 213
  • 204
  • TY this clears up a few things. Just to clarify, when you say " ... webserver correctly configured..." you mean configured correctly to support not needing to type public. Not configured correctly in general? Also, is the authentication just allowing certain users to use that route to access any file, or is it authenticating per file/directory, I mean If a user wanted could they type in a path to look at one file, when they should only be able to look at another file. – rich green Feb 26 '14 at 19:25
  • Configured to point to public and rewrite urls and remove index.php from them. If it's correctly configured this is how you access a file and anyone else would be able too. Just edited to answer your second question. – Antonio Carlos Ribeiro Feb 26 '14 at 19:32
0

Also, you can use authentication "middelware" in your routes to add better access control. 

Route::get('routeName', ['middleware' => 'auth', 'uses' =>'XController@action']);
Amancho
  • 421
  • 4
  • 3