1

Hi am making a Call Recording System, basically, there's admin and user. Admin will upload a call recording file which is stored in the file system. Then the admin will assign that a user a call recording which the user can see.

So in my database I have

RecordingsTable
->id
->Name
->Path
->FileName

then my Designation table which where I store the assigned call recording to a user.

DesignationTable
->id
->User_id
->Recording_id

I already make the function which the user can only see and play the recording assigned to him/her. My problem now is the user could also share that recording to someone else. I already done that, what I do is loading the the assigned recording to the user, and in his/her dashboard there's a public link for the video, say

<a href="http://localhost/callrec/public/recording/{!! $value->recordID !!}">See Public Link</a>

as you can see I'm using Blade Template. As you can that

$value->recordID is my recording ID which is a resource, so let's say that link directed to

http://localhost/callrec/public/recording/1

Then that link is public and the user can share it. But there's a risk, when he/she shared this that id from the link can be altered, let's say http://localhost/callrec/public/recording/4 and if that id is existing it can be accessed which is supposed to be not coz the user only shared the id = 1 . How to approach problems like this? Any ideas and suggestions? thanks!

Maytham Fahmi
  • 31,138
  • 14
  • 118
  • 137
jackhammer013
  • 2,295
  • 11
  • 45
  • 95
  • 1
    Why not generate a hash value for the ID, with a custom salt value. – nathanmac Jul 27 '15 at 11:56
  • 1
    This would work, but remember that hash is a irreversible operation, so you will need to store the hash in your database together with the recording. – jedrzej.kurylo Jul 27 '15 at 11:57
  • A permission based access would be the way to go. Disable non-authenticated access to the file – Alex Tartan Jul 27 '15 at 11:58
  • @AlexTartan if I would do that then that means each person that the user shared the link needs to be registred or logged in? Or needs to be assigned a file as well? – jackhammer013 Jul 27 '15 at 12:07
  • it is possible to do it, there is a similar solution to protect images only for logged users, see if you can get inspiration how to do it, if you get stuck, let me know I find you a solution. http://stackoverflow.com/questions/30682421/how-to-protect-image-from-public-view-in-laravel-5/30682456#30682456 – Maytham Fahmi Jul 27 '15 at 12:10
  • @alexTartan, maytham: Please read the question. The OP wants to make the links shareable for public, just wants to prevent messing with the links so that other recordings cannot be viewed. – jedrzej.kurylo Jul 27 '15 at 12:14
  • @jedrzej.kurylo OK As I understand only logged on users should access the links – Maytham Fahmi Jul 27 '15 at 12:16

1 Answers1

3

If you use ID in the URL, then as you noticed it's easy to guess other possible IDs, change the URL and access other recordings. So what you need to do is to share links containing a value that users won't be able to guess. One example would be a hash of the recording ID using some secret value as a hash - e.g. your APP_KEY value.

What you need to do is:

  1. Add a string hash column to your recording table

  2. When recording is created, calculate the hash and save it with the recording:

    $recording = Recording::create($attributes);
$recording->hash = base64_encode(Hash::make
                       ($recording->recordID . Config::get('APP_KEY')));
$recording->save();

  3. Use that hash in the URLs

    <a href="http://localhost/callrec/public/recording/{!! $value->hash!!}">
   See Public Link
</a>

This way your links will be publicly available, but guessing a hash of another recording will be more or less as hard as guessing passwords in your application as the same logic is applied. Just make sure you keep your APP_KEY safe.

Maytham Fahmi
  • 31,138
  • 14
  • 118
  • 137
jedrzej.kurylo
  • 39,591
  • 9
  • 98
  • 107
  • Hi this is a very good idea, however, I will have problems with the URL if I use hash, say for example my hash is $2y$10$FpDtUyndvT6EiaWLPbYP2uEHDkIQrFz0uvtPPpQ81cKQ/v9ta6o0e then it will be on the url like http://localhost/callrec/public/recording/$2y$10$FpDtUyndvT6EiaWLPbYP2uEHDkIQrFz0uvtPPpQ81cKQ/v9ta6o0 the problem is that hash might have a forward slash / which will cause me a 404 error – jackhammer013 Jul 27 '15 at 13:20
  • Sorry, forgot about base64_encode :) I update the answer – jedrzej.kurylo Jul 27 '15 at 13:27
  • You can see base64 characters here http://stackoverflow.com/questions/6102077/possible-characters-base64-url-safe-function - it should be safe for the URLs – jedrzej.kurylo Jul 27 '15 at 13:28
  • Wow thank you so much. It works and the way I want it to be. You've helped me a lot. thank u so much :) – jackhammer013 Jul 27 '15 at 13:39
  • To whoever is downvoting the answer: please drop a comment, I'll be happy to learn what is wrong with this solution :) – jedrzej.kurylo Jul 27 '15 at 15:06