Amazon s3 php safely deleting objects

Question

I'm allowing my users to delete the images that they upload but then can easily delete the images that belong to other users by changing the name of the image.

My working code below for deleting images... User images are fetched using a username prefix e.g. joe/some_image.jpg and a user selects which images to delete using check boxes.

//images to be deleted
$images = array("joe/angry_robot.jpg", "joe/baby_with_mustache.jpg");

//create multidimensional array to use in class
foreach($images as $key => $value)
{
    $array[] = array(
        'key' => $value
    );
}

$this->load->library('awslib');

//initiate the class
$s3 = new AmazonS3();

$bucket = 'my_bucket';

$response = $s3->delete_objects ($bucket, array(
    'objects' => $array
));

// Success?
var_dump($response->isOK());

What solutions are available in S3 for safely deleting objects in buckets? I'm looking for some kind of user authentication method.

Answer 1

Maintain a list of the files that each user owns.

class User
{
  // yourproperties

  // array of owned images
  private $images;

  public function addImage($image)
  {
      $this->images[] = $image;
  }

  public function ownsImage($image)
  {
      return in_array($image, $this->images);
  }

  public function removeImage($image)
  {
      if( ( $key = array_search($image, $this->images) ) !== false ) { 
          unset($this->images[$key]);
          return true;
      }
      return false;
  }
}

Then.... if( $user->ownsImage($imageToDelete) ) { // proceed } else { // not authorized }

Map that array to your database in whichever manner you handle persistence.

Or do it any other way within your application. Authorization for end-users shouldn't be handled by S3.