How to secure Laravel Storage folders

Question

In my project, I have implemented auth and ACL for my controllers and routes. I have a file upload system accessible only if the user is logged. It's work fine.

My problem is on the uploaded files. The user can access any file if have a file URL. How I can implement auth on uploaded files?

I tried with routes, but when accessing my file through the browser the file is shown as if not have a route intercepting this URL.

I have used this code:

Route::get('/storage/document/3/4a15c1ab060be8f35.png', function () {
  return 'ok';
});

How can I implement auth on specific folders on storage? Thanks!

Stephen Lake · Accepted Answer

If you want to restrict access to files per user based on some sort of permission, you'll need to build that permission logic yourself (StackOverflow isn't going to do your job for you), but for the sake of answering this question, let's assume you already have that permission system in place and in order to check whether the user has access, our function is hasAccessToFile which basically just does a look up based on whatever your business logic requires.

Instead of serving all files publicly, you can serve individual files, here's a very brief example:

Route::get('files/{pathToFile}', function($pathToFile) {

    if (auth()->user()->hasAccessToFile($pathToFile)) {
        return response()->file($pathToFile);
    } else {
        return 'Nope, sorry bro, access denied!';
    }

});

See the File Responses documentation.

If you need to provide downloads of the files rather than serving of them, similarly:

Route::get('files/{pathToFile}', function($pathToFile) {

    if (auth()->user()->hasAccessToFile($pathToFile)) {
        return response()->download($pathToFile);
    } else {
        return 'Nope, sorry bro, access denied!';
    }

});

See the File Downloads documentation.

How to secure Laravel Storage folders

Answers (2)

Related Questions