Reputation: 3
Protecting directories with htaccess by checking logged in user
I've been trying to create a website that allows users to upload word documents.. Those documents would then be stored in a public directory of the website. The thing is, I don't want everyone to access the uploaded documents.. I would like to check if they are logged in first, and if they are "Authorized Users".. say if they have account level of 50 or higher, then they are allowed to open the directory..
Is there anyway I can do this through .htaccess?.. or is there a better solution?
I don't know if this is a dumb question, but do help me please. I would deeply appreciate any help I can get right now.
Note:
Sorry for not mentioning earlier, but I actually want to use google docs for viewing these documents in order to embed them in my website.
Upvotes: 0
Views: 1109
Answers (2)
Reputation: 101
It sounds like you're taking the approach of putting the public documents directory somewhere underneath your web root directory. For a number of reasons (security, portability, maintainability), this is not the best approach to take.
Here's a quick-and-dirty approach (I'm assuming that you're already handling user authentication using a database or some other means to store credentials):
- Place the documents directory somewhere outside your web root directory.
- Create a function (or class) to read the list of files in the documents directory (look at
scandir()(http://www.php.net/manual/en/function.scandir.php) - Create a page that will show the results of reading the documents directory. Each file should be a link to a page along with a URL parameter indicating the file. In this page, check the user's credentials before showing them the file list.
- In the page that the file list page points to, check to make sure the requested file exists in the documents directory (don't forget to check again to make sure the user has the necessary credentials!), and then read that file and push it to the user. See
readfile()(http://php.net/manual/en/function.readfile.php), making special note in the example of setting the various header fields.
Upvotes: 2
Reputation: 1024
You'd want to probably use a database (MySQL?) and PHP sessions to check if:
- the user has logged in successfully (credentials in database)
- the user has 'level 50' or higher
if($level >= 50) - use sessions and session variables to create persistent authentication keys when users go between pages.
- you should not need to use .htaccess files for this.
Upvotes: 0
Related Questions
- htaccess - disallow direct access to all files except logged in users (PHP)
- Only allow access to files if logged in (htaccess?)
- PHP protect directory from direct URL access
- Restrict access to directory for users
- .htaccess protect folder without username
- How to protect files with .htaccess and a login page?
- htaccess deny acces to directory if logged out (checked with php)
- Protecting a directory using .htaccess and .htpasswd
- How to use Apache/PHP to protect directories from users that aren't logged in
- protect folders via htaccess