1

Now if I log out from my basic Yii2 app (hosted on webserver), and I know direct url of an uploaded file, I can access and view it logged out also. My upload directory is under app/web. My webroot is app/web. Is there a way to restrict that only to logged in users? I guess it has to do more with apache, or? Thanks!

user2511599
  • 796
  • 1
  • 13
  • 38
  • [here's what I was looking for](http://stackoverflow.com/questions/2679524/block-direct-access-to-a-file-over-http-but-allow-php-script-access), excuse me I haven't found it sooner. – user2511599 Feb 20 '16 at 19:55
  • static files (pictures) inaccessible for app, too now... – user2511599 Feb 20 '16 at 20:47

1 Answers1

0

Yes, yii does not restrict access to files. You'll have to save the files below the web/. I have not tried this my self, but I found this function that might help you

http://www.yiiframework.com/doc-2.0/yii-web-response.html#sendFile()-detail

public $this sendFile ( $filePath, $attachmentName = null, $options = [] )

Edit based on your comment: If your download folder is below web, as in frontend/downloads it should not be accessible via a browser. But you can then send that file to the user using

public function actionTest()
{
    Yii::$app->response->sendFile(Yii::getAlias('@frontend').'/download/yourfile.zip');
}
Jørgen
  • 3,467
  • 6
  • 33
  • 49
  • upload folder is already under `/web/`. I don't understand how do you mean this function can help. – user2511599 Feb 19 '16 at 22:45
  • Then either i misunderstood your question, or you did not read up on that function. Provided an example in my answer as an edit. Is this not what you're asking? – Jørgen Feb 19 '16 at 23:22
  • The problem is, that the files are at the moment (basic app) **always** accessible. And I don't want that. – user2511599 Feb 20 '16 at 08:58
  • Well, not if you have them in `frontend/downloads` and you've set your htdocs/document root to the web folder. – Jørgen Feb 20 '16 at 08:59
  • I guess its `app/fronted` or something in Basic, but you'll be able to access them trough a localhost if your apache is configured with a document root in the folder where the application is placed. When you upload it to a webserver, and set your document root to the `web`folder, anything below that folder will not be accessible trough the browser. Hope this helps. – Jørgen Feb 20 '16 at 10:58
  • You mean everything **above** web folder is inaccessible, or? – user2511599 Feb 20 '16 at 19:47
  • If you point your document root to the web folder, everything in the web folder are accessible to a browser. So yes, i guess that technically is above - my bad :) – Jørgen Feb 20 '16 at 22:48