Require permission for certain folders

Question

So I currently have my folders setup as this:

index.php
galleries
   -Party Weekend
       -2014
          -Bunchofimages.png
   -Other pics
       -Pictures.png

This gets loaded in on my home page the same way this does: http://metro.windowswiki.info/smpg/demo/

So all the folders are loaded dynamicly and I want to secure some folders that are only visible when you're logged in.

So for example: Only logged in users(or users with a certain status/rank) can see the folders Party weekend & Other pics while the normal users(or not logged in) can't see this folder in here.

What is the best way to check this? Will I need to manually check every folder if it has the name Party weekend and if so see if the permissions are there or are there alternatives to this?

Thanks in advance!

Solutition: scandirSorted (the function that scans for all folders/files now got a check before returning)

Before:

if(is_dir($basefolder.$currentdir))
{
    $folder = array_diff(scandirSorted($basefolder.$currentdir), array('..', '.', 'Thumbs.db', 'thumbs.db', '.DS_Store'));
}

After:

if(is_dir($basefolder.$currentdir))
{
    $folder = array_diff(scandirSorted($basefolder.$currentdir), array('..', '.', 'Thumbs.db', 'thumbs.db', '.DS_Store'));

    if ( $folder[2] == "Familie Weekend") 
    {
       isPermitted($folder[2]); //This is the check if user has permission to that specific folder (Will later update with permissions stored in database)
    }
}

Came to this solution thanks to @Jerald Johnson if someone has any tips on this(I guess it's not really secure, not sure though) feel free to tell me

Answer 1

You will need to edit the code to check if "Party Weekend" is in the name, and prompt for auth.

<?php
if (preg_match("/Party Weekend/",$_GET['f'])) {
die(login_function());
}

Answer 2

The best way to do this would be to store the image files either directly in a database (such as MySQL), or somewhere else on the filesystem (i.e. not within the webroot), with records in a database pointing to them. That way rather than using PHP to scan the filesystem and pick up images, it can instead query a database. The record for the image in the database can also store whether or not it should be visible to unauthorised users. You would have to write a PHP file which would output the image itself after checking the authorisation of the user.

If, as you have it, the image files are kept within the webroot, someone that isn't logged in can still view them if they can guess the names of the files. You can get around this by using obscured names, or by keeping them elsewhere on the filesystem (or in a database).

A simple solution which just checks for particular strings in the name of a folder might work when you only have a few folders, but it doesn't scale very well. Using a database would make it much easier to manage different levels of authorisation, and facilitate automatic uploading of images.