Jump to content

deny folder permission


ferret147

Recommended Posts

I have been told that I can use mod_rewrite to deny folder access from a session variable but as of yet am unable to find any confirmed evidence of this.  Basically this is what I am wanting to do;

 

admin/

admin/files

 

I have the admin folder protected with a login script and when members log in I want them to have access to the folder admin/files but if a visitor is not logged in then they will be denied access to admin/files/

 

my session variable is $admin_username

 

So in the .htaccess I suppose I am looking for something like this -  if (issset($_SESSION['admin_username'])) {/allow} else {/deny} well that is how I would do it in php but how can I achieve this with mod_rewrite ?

 

All help appreciated, this one has been bugging me for some time now.

Link to comment
Share on other sites

You might be able do do something along the lines of redirecting all requests via a PHP script. e.g.

 

                        RewriteEngine On

                        RewriteBase /

                        RewriteRule . /protected.php [L]

 

Then have the protected.php check for that session variable and if it exists use the readfile() function to fetch the file and return it to the user.

 

Link to comment
Share on other sites

I see what you are saying but my problem is a little more complex!

 

lets say I have a file in site.com/admin/files/file.avi this would not stop a member copying that URL from the page it is embedded in, posting it up on a message board or sharing it with someone via email who does not have a user account on the site and them accessing the file hence the reason for only allowing browsers with that session set being allowed to access the file.

 

Unless there is another way but I can not think of anything off hand :(

Link to comment
Share on other sites

You can't access PHP session data from an .htacess file in that manner. You will have to actually serve the file using PHP as mentioned by pastcow. Assuming you redirect all requests via PHP then it wouldn't matter if somebody copy and pasted the path to the file as you would redirect the request to a php file that would check the session data before reading the requested file data in and returning it.

Link to comment
Share on other sites

If you stick that mod rewrite rule in place even .AVI and .TXT requests will flow through the "protected.php" script which can do the checks. If someone pastes a link to the AVI they wont be able to download it unless the have a valid session identifier

Link to comment
Share on other sites

Quick question! I have tried to use the readfile() and the fopen commands to fetch the files in the now protected folder with no luck!

 

Any advice?

 

What I done is setup a test folder and page;

 

/index.php

/protected/

/protected/.htaccess

 

htaccess file is as suggested and works fine and redirects to index.php

 

in the index.php file I have this;

 

 

 

 

<?php $file = ''/protected/testimage.jpg'; ?>

<p><img src="<?php fopen("$file", "r");?>"  /></p>

 

 

and the image does not show! any ideas as to how I should fetch the file? I was thinking of cURL but I have used this function in the past and it is very CPU heavy and this script is going to be servicing around 41,000 page views a day form the members.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.