Deny direct access of a pdf file but allow when user logged in

Question

I have a little issue with my php app, i have a folder named "my_files" inside this i have many pdf inside many directories. Inside "my_files" directory i put this htaccess line to deny direct access form url (working fine) :

Order Deny,Allow
Deny from all

On my root project i put this php file (get_file.php) to allow pdf download only for logged-in members :

if( !empty( $_GET['pdf_name'] ) ) {
  // check if user is logged    
 if( is_user_logged_in() ){
    $pdf_name = preg_replace( '#[^-\w]#', '', $_GET['pdf_name'] );
    $pdf_folder = {$_SERVER['DOCUMENT_ROOT']}/docs/en;
    $fic = "{$pdf_folder}/{$pdf_name}.pdf";
    if( file_exists( $fic ) ){
        header( 'Cache-Control: public' );
        header( 'Content-Description: File Transfer' );*/
        header( 'Content-Type: application/pdf');
        header( "Content-Disposition: attachment; filename={$fic}" );
        header( 'Content-Transfer-Encoding: binary' );
        readfile( $fic );
        exit;
    }
  }
} else {
    die( "ERROR: you don't have permissions to download it." );
}

And when i access this url :

myappdomaindotcom/get_file.php?pdf_name=STUDENTS

the browser returns :

This web page is not available
ERR_INVALID_RESPONSE

Could someone help me please? the aim is to disallow file direct access but allow only for logged in members.

UPDATE

On browser console i got this response : Why i have data:image ????

UPDATE V2

I changed a bit the code to add quote but i got same result, the file really exists but the console returns the same failed status.

if( !empty( $_GET['pdf_name'] ) ) {
  // check if user is logged    
  if( is_user_logged_in() ) {


    $pdf_name = preg_replace( '#[^-\w]#', '', $_GET['pdf_name'] );
    $pdf_folder = "{$_SERVER['DOCUMENT_ROOT']}/docs/en";
    $pdf_file   = "{$pdf_folder}/{$pdf_name}.pdf";
    echo $pdf_file;
    if( file_exists( $pdf_file ) )
    {

        header( 'Cache-Control: public' );
        header( 'Content-Description: File Transfer' );
        header( 'Content-Type: application/pdf');
        header( "Content-Disposition: attachment; filename={$pdf_file}" );
        header( 'Content-Transfer-Encoding: binary' );
        readfile( $pdf_file ); 

    }
  }
} else {
    die( "ERROR: you don't have permissions to download it." );
}

UPDATE V3 WORKING

I finally solved it from this post : solution, below is final code :

if( !empty( $_GET['pdf_name'] ) ) {

 // check if user is logged    
 if( is_user_logged_in() ) {

    $proxiedDirectory   = "{$_SERVER['DOCUMENT_ROOT']}/xxxx/";
    $filename           = $_GET['pdf_name'];
    $file               = $proxiedDirectory.$filename.'.pdf';
    $basename           = basename($file);

    if( file_exists($file) ){
        $fp = fopen($file, 'rb');

        header("Content-Type: application/pdf", true, 200); //May need to determine mime type somehow
        header("Content-Disposition: attachment; filename={$basename}");
        header('Cache-Control: public');
        readfile($file);
        exit();
    }

}

} else { die( "ERROR: you don't have permissions to download it." );}

Thank you for you helps guys, but i have a last question : is it possible to open pdf instead of downloading it?

Answer 1

Try this code

error line this $pdf_folder = {$_SERVER['DOCUMENT_ROOT']}/docs/en; not string .

if( !empty( $_GET['pdf_name'] ) ) {
  // check if user is logged    
 if( is_user_logged_in() ){
    $pdf_name = preg_replace( '#[^-\w]#', '', $_GET['pdf_name'] );
    $pdf_folder = "{$_SERVER['DOCUMENT_ROOT']}/docs/en";
    $fic = "{$pdf_folder}/{$pdf_name}.pdf";
    if( file_exists( $fic ) ){
        header( 'Cache-Control: public' );
        header( 'Content-Description: File Transfer' );*/
        header( 'Content-Type: application/pdf');
        header( "Content-Disposition: attachment; filename={$fic}" );
        header( 'Content-Transfer-Encoding: binary' );
        readfile( $fic );
        exit;
    }
  }
} else {
    die( "ERROR: you don't have permissions to download it." );
}