1

I have an application build in core PHP, I have one scenario where I got stuck. I have a company database, where the company's information and its related documents exist. I want to show documents only to logged in user, currently if logged in user share link of documents with any other user they can access those documents without any login, which needs to be restricted.

Base Path is like that: abc.com/app and the path of the document are like that: abc.com/app/documents/random_company_name/all_documents_in_it. random_company_name is a dynamically generated folder.

As documents path is directly going to access documents, no inclusion of any PHP script exists that's why I am stuck?

Can anybody have an idea how can I redirect that user to the login page and after login, I will check if the user belongs to the same company then access given else not?

I have tried using htaccess to redirect it to the authentication page if pdf opened but unable to handle images in it below is my code for htaccess?

 #htaccess start
 RewriteEngine On
 RewriteRule !^((.pdf|.jpeg|.jpg)|(.*\/))$ authorizeacess.php
tadman
  • 208,517
  • 23
  • 234
  • 262
Zeeshan
  • 35
  • 1
  • 1
  • 7
  • What does "unable to handle images in it" mean? What does `authorizeaccess.php` do? If it knows the path of the asset, and how to check for authorization, you just test, if it passes use something like [`readfile`](https://www.php.net/manual/en/function.readfile.php) to dump out the file. – tadman Jun 18 '20 at 06:45
  • @tadman Means in htaccess I want to redirect to authorizeaccess.php if the user opens any images or pdf file, secondly, in authorizeaccess.php I checked whether user is logged in or not if yes they will access the document or image else access restricted. – Zeeshan Jun 18 '20 at 07:59
  • 2
    Yes, I get what you're trying to do but the fix here requires a working `authorizeaccess.php` so you should focus on that part. You'll also need to include the original path in the rewrite, like `authorizeaccess.php?path=$1` where the original path is captured in the regular expression. – tadman Jun 18 '20 at 20:32

1 Answers1

1

If I were you, I'll try to implement a middleware, with a http client like Guzzle. Then you could easily protect your files from being accessed with a link.

As for the .htacess configuration, please check this answer about password protecting and this one about deny from all.

johnnyBoy
  • 115
  • 2
  • 12
  • I have updated my question, please review now as the application is already working it is not possible at this time to use middleware. – Zeeshan Jun 17 '20 at 10:05
  • 2
    Sounds like your application is missing some functionality so "working" is best phrased as "incomplete". The point of *middleware* is it layers on top. You should be able to add this on top of your existing application if necessary. – tadman Jun 18 '20 at 06:42