[FIXED] How to implement limited file access in PHP?

Issue

I'm working on an application (LAMP) where users can upload files to the server but cannot share it's files with other users. So, my problem is to implement a secure mechanism that ensures user A cannot access to files uploaded by user B.

My approach is this:

1. Each user has a folder for its files (/upload/userA)
2. Add a .htaccess file to redirect all access to /upload folder to a PHP script
3. Check if the user has permission to access to the subdirectory (/userA)

Can you see any drawback in this approach? Any better alternative?

Solution

Instead of making hard references to files, you can make something like download.php?id=1234 and just check for 1234 from database whether user has privileges to download the file and do not show the physical path to user at all.

With HTTP headers, you can force users to download file with a filename you have desired (stored on database). Allowing users to directly access their files from physical paths is not a good idea and if you try to make a hook with .htaccess upon each request, that will be more expensive, indeed.

Most systems consider generating some random strings or GUIDs that you can't simply access someone else's file by changing a character randomly. i.e. in Facebook images, ../187170_697610597_4628627_q.jpg there is that complicated URL which users can directly access but can not guess another image URL by changing a few digits, that's too difficult but not safe and does not meet your requirements.

Answered By - ahmet alp balkan