Laravel 4 Routes and Security troubles

Question

I have a question about routes and security.

I need to protect files in the public html folder. If the user try to access any route in my project I have some treatments to check if the user are logged or not and redirect him to correct route.

What I can't do at the moment is protect the access to files in the html public folder same as www.xpto.com.br/file.html if user not logged the page are exhibit to the user.

Have any way to check if the user are logged, but not in the html file?

Thank you in advance!

Answer 1

If you have files in the public_html area - then protecting them and restricting their access is very difficult.

The best option is to hide the files in a secure directory, outside of public_html - and use php readfile() function to 'serve' the files to users once you have confirmed they can access a specific file.

Something like this will do the trick as an example:

function user_file($file_name = "")
{
    if ($file_name)
    {
         // Ensure no funny business names to prevent directory transversal etc.
         $file_name = str_replace ('..', '', $file_name);
         $file_name = str_replace ('/', '', $file_name);

         // now do the logic to check user is logged in
         if (Auth::check())
         {
                // Serve file via readfile() - we hard code the user_ID - so they
                // can only get to their own images
               readfile('../your_app/samples/'.Auth::user()->id.'/'.$file);
         }
    }
}