.htaccess - Deny access to folder but allow access to file via index.php

Question

I'm having a problem with .htaccess and PHP-files in a sub folder. What I'm trying to achieve is to prevent anyone from being able to access any file in my sub folder - BUT I want my index.php to be able to access those files.

DOCROOT/subfolder -> www.somewebsite.com/subfolder/somefile.php
-> Access Denied

BUT

[index.php]
<form action="/subfolder/somefile.php">
...
</form>
-> Success!

I would love to solve this by just using .htaccess. I tried deny from alland also some RewriteRules but those Rules also kill any request from index.php. I tried

Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from somewebsite.com
Satisfy Any

but the request from index.php is being denied. Can anyone help, please?

Answer 1

In your .htaccess you could redirect any requests to files inside that directory other than index.php as follows:

<directory "DOCROOT/subfolder">
    RewriteCond %{REQUEST_FILENAME} !=/DOCROOT/subfolder/index.php
    RewriteRule ^/(.+)$ redirect.php [L]
</directory>

Answer 2

This is a misconception that people have. Just because you're linking to PHP files from another PHP file doesn't mean the index.php file is accessing them. The end-user/browser is still accessing them, it's just it's being told where to go by your index.php file. Has absolutely nothing to do with how it's being accessed. In both of your cases, they're being accessed by the browser.

The best you can do is to look at the referer field. It can be easily forged to get around this, but it's the only thing you can do.

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://(example.com|127\.0\.0\.1) [NC]
RewriteRule ^subfolder/ - [L,F]

where "example.com" is your site.

Answer 3

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://www.hello.com/index.php
RewriteRule .*subfolder/somefile\.php - [NC,F]

The second line checks whether the visitor is not coming from a certain url. The 3rd line blocks them from accessing somefile.php