Authorising users to view files PHP

Question

I have a login system that is fully functional and I keep the user logged in by their ID in a Session Variable $_SESSION['user_id'].

I would like to use that ID to authorise them to view certain files.

I know I can use a MySQL database to store whether they are authorised to see a certain file and then check their ID against the database when it is accessed via a web page, e.g. file.php with a container on the page, however how do I stop someone from finding out what the URL of the file is (e.g. /files/file.pdf) and navigating to that in their browser and viewing it that way?

I know there has to be a way but my knowledge is obviously limited.

Any help would be appreciated.

Thank you

Connor Wyatt

Answer 1

As per OP's request.

Place your files outside the public html area.

$file = "/var/user/you/outside_folder/file.xxx"; type of thing.

---

"you can use readfile from your script if the user is authorized"

Bansi's suggestion of using readfile is a good method.

As per an example on that page:

$filename = "file.csv";
$filepath = "/path/to/file/" . $filename;

---

From example #1

<?php
$file = 'monkey.gif';

if (file_exists($file)) {
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename='.basename($file));
    header('Expires: 0');
    header('Cache-Control: must-revalidate');
    header('Pragma: public');
    header('Content-Length: ' . filesize($file));
    readfile($file);
    exit;
}
?>

where $file = 'monkey.gif'; can be modified to read as:

$file = '/var/user/you/outside_folder/monkey.gif';