How to secure Laravel Storage folders









up vote
2
down vote

favorite












In my project i have implemented auth and ACL for my controllers and routes. Im have too a file upload system accessible only if the user is logged. It's work fine.



My problem is on the uploaded files. The user can access any file if have a file url. How i can implement auth on uploaded files?



I tried with routes, but when acccess my file through the bowser the file is show like if not have a route intercepting this url.



i was used this code:



Route::get('/storage/document/3/4a15c1ab060be8f35.png', function () 
return 'ok';
);


How i can implement auth on specific folders on storage? Thanks!










share|improve this question

























    up vote
    2
    down vote

    favorite












    In my project i have implemented auth and ACL for my controllers and routes. Im have too a file upload system accessible only if the user is logged. It's work fine.



    My problem is on the uploaded files. The user can access any file if have a file url. How i can implement auth on uploaded files?



    I tried with routes, but when acccess my file through the bowser the file is show like if not have a route intercepting this url.



    i was used this code:



    Route::get('/storage/document/3/4a15c1ab060be8f35.png', function () 
    return 'ok';
    );


    How i can implement auth on specific folders on storage? Thanks!










    share|improve this question























      up vote
      2
      down vote

      favorite









      up vote
      2
      down vote

      favorite











      In my project i have implemented auth and ACL for my controllers and routes. Im have too a file upload system accessible only if the user is logged. It's work fine.



      My problem is on the uploaded files. The user can access any file if have a file url. How i can implement auth on uploaded files?



      I tried with routes, but when acccess my file through the bowser the file is show like if not have a route intercepting this url.



      i was used this code:



      Route::get('/storage/document/3/4a15c1ab060be8f35.png', function () 
      return 'ok';
      );


      How i can implement auth on specific folders on storage? Thanks!










      share|improve this question













      In my project i have implemented auth and ACL for my controllers and routes. Im have too a file upload system accessible only if the user is logged. It's work fine.



      My problem is on the uploaded files. The user can access any file if have a file url. How i can implement auth on uploaded files?



      I tried with routes, but when acccess my file through the bowser the file is show like if not have a route intercepting this url.



      i was used this code:



      Route::get('/storage/document/3/4a15c1ab060be8f35.png', function () 
      return 'ok';
      );


      How i can implement auth on specific folders on storage? Thanks!







      php laravel authentication storage acl






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 10 at 13:43









      Luciano Braga

      337




      337






















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          2
          down vote



          accepted










          If you want to restrict access to files per user based on some sort of permission, you'll need to build that permission logic yourself (StackOverflow isn't going to do your job for you), but for the sake of answering this question, let's assume you already have that permission system in place and in order to check whether the user has access, our function is hasAccessToFile which basically just does a look up based on whatever your business logic requires.



          Instead of serving all files publicly, you can serve individual files, here's a very brief example:



          Route::get('files/pathToFile', function($pathToFile) 

          if (auth()->user()->hasAccessToFile($pathToFile))
          return response()->file($pathToFile);
          else
          return 'Nope, sorry bro, access denied!';


          );


          See the File Responses documentation.



          If you need to provide downloads of the files rather than serving of them, similarly:



          Route::get('files/pathToFile', function($pathToFile) 

          if (auth()->user()->hasAccessToFile($pathToFile))
          return response()->download($pathToFile);
          else
          return 'Nope, sorry bro, access denied!';


          );


          See the File Downloads documentation.






          share|improve this answer






















          • The part of show the file if the user has permission is not problem. But this not work if the file is on the public folder storage/app/public. How i can make it for protect a subfolder of public like storage/app/public/docs?
            – Luciano Braga
            Nov 10 at 14:42






          • 2




            Don’t use the public folder or any sub directories for protected files. If you need to display a protected image or download a file then serve it over an endpoint(route) you can control.
            – adam
            Nov 10 at 18:13






          • 1




            @LucianoBraga Adam just said it. You're not supposed to make everything public if you don't want everything to be public. If you want to serve files privately, then they cannot be accessible in storage via the public resource directory. Makes sense right?
            – Stephen Lake
            Nov 10 at 19:54






          • 1




            @LucianoBraga That's right, move them anywhere you like outside of the public directory, preferably the storage folder and if your storage folder is symlinked, you'll need to ensure the destination folder isn't publicly readable, obviously.
            – Stephen Lake
            Nov 11 at 10:50







          • 1




            OK. Thanks for all!!
            – Luciano Braga
            Nov 11 at 11:33










          Your Answer






          StackExchange.ifUsing("editor", function ()
          StackExchange.using("externalEditor", function ()
          StackExchange.using("snippets", function ()
          StackExchange.snippets.init();
          );
          );
          , "code-snippets");

          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "1"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53239589%2fhow-to-secure-laravel-storage-folders%23new-answer', 'question_page');

          );

          Post as a guest






























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          2
          down vote



          accepted










          If you want to restrict access to files per user based on some sort of permission, you'll need to build that permission logic yourself (StackOverflow isn't going to do your job for you), but for the sake of answering this question, let's assume you already have that permission system in place and in order to check whether the user has access, our function is hasAccessToFile which basically just does a look up based on whatever your business logic requires.



          Instead of serving all files publicly, you can serve individual files, here's a very brief example:



          Route::get('files/pathToFile', function($pathToFile) 

          if (auth()->user()->hasAccessToFile($pathToFile))
          return response()->file($pathToFile);
          else
          return 'Nope, sorry bro, access denied!';


          );


          See the File Responses documentation.



          If you need to provide downloads of the files rather than serving of them, similarly:



          Route::get('files/pathToFile', function($pathToFile) 

          if (auth()->user()->hasAccessToFile($pathToFile))
          return response()->download($pathToFile);
          else
          return 'Nope, sorry bro, access denied!';


          );


          See the File Downloads documentation.






          share|improve this answer






















          • The part of show the file if the user has permission is not problem. But this not work if the file is on the public folder storage/app/public. How i can make it for protect a subfolder of public like storage/app/public/docs?
            – Luciano Braga
            Nov 10 at 14:42






          • 2




            Don’t use the public folder or any sub directories for protected files. If you need to display a protected image or download a file then serve it over an endpoint(route) you can control.
            – adam
            Nov 10 at 18:13






          • 1




            @LucianoBraga Adam just said it. You're not supposed to make everything public if you don't want everything to be public. If you want to serve files privately, then they cannot be accessible in storage via the public resource directory. Makes sense right?
            – Stephen Lake
            Nov 10 at 19:54






          • 1




            @LucianoBraga That's right, move them anywhere you like outside of the public directory, preferably the storage folder and if your storage folder is symlinked, you'll need to ensure the destination folder isn't publicly readable, obviously.
            – Stephen Lake
            Nov 11 at 10:50







          • 1




            OK. Thanks for all!!
            – Luciano Braga
            Nov 11 at 11:33














          up vote
          2
          down vote



          accepted










          If you want to restrict access to files per user based on some sort of permission, you'll need to build that permission logic yourself (StackOverflow isn't going to do your job for you), but for the sake of answering this question, let's assume you already have that permission system in place and in order to check whether the user has access, our function is hasAccessToFile which basically just does a look up based on whatever your business logic requires.



          Instead of serving all files publicly, you can serve individual files, here's a very brief example:



          Route::get('files/pathToFile', function($pathToFile) 

          if (auth()->user()->hasAccessToFile($pathToFile))
          return response()->file($pathToFile);
          else
          return 'Nope, sorry bro, access denied!';


          );


          See the File Responses documentation.



          If you need to provide downloads of the files rather than serving of them, similarly:



          Route::get('files/pathToFile', function($pathToFile) 

          if (auth()->user()->hasAccessToFile($pathToFile))
          return response()->download($pathToFile);
          else
          return 'Nope, sorry bro, access denied!';


          );


          See the File Downloads documentation.






          share|improve this answer






















          • The part of show the file if the user has permission is not problem. But this not work if the file is on the public folder storage/app/public. How i can make it for protect a subfolder of public like storage/app/public/docs?
            – Luciano Braga
            Nov 10 at 14:42






          • 2




            Don’t use the public folder or any sub directories for protected files. If you need to display a protected image or download a file then serve it over an endpoint(route) you can control.
            – adam
            Nov 10 at 18:13






          • 1




            @LucianoBraga Adam just said it. You're not supposed to make everything public if you don't want everything to be public. If you want to serve files privately, then they cannot be accessible in storage via the public resource directory. Makes sense right?
            – Stephen Lake
            Nov 10 at 19:54






          • 1




            @LucianoBraga That's right, move them anywhere you like outside of the public directory, preferably the storage folder and if your storage folder is symlinked, you'll need to ensure the destination folder isn't publicly readable, obviously.
            – Stephen Lake
            Nov 11 at 10:50







          • 1




            OK. Thanks for all!!
            – Luciano Braga
            Nov 11 at 11:33












          up vote
          2
          down vote



          accepted







          up vote
          2
          down vote



          accepted






          If you want to restrict access to files per user based on some sort of permission, you'll need to build that permission logic yourself (StackOverflow isn't going to do your job for you), but for the sake of answering this question, let's assume you already have that permission system in place and in order to check whether the user has access, our function is hasAccessToFile which basically just does a look up based on whatever your business logic requires.



          Instead of serving all files publicly, you can serve individual files, here's a very brief example:



          Route::get('files/pathToFile', function($pathToFile) 

          if (auth()->user()->hasAccessToFile($pathToFile))
          return response()->file($pathToFile);
          else
          return 'Nope, sorry bro, access denied!';


          );


          See the File Responses documentation.



          If you need to provide downloads of the files rather than serving of them, similarly:



          Route::get('files/pathToFile', function($pathToFile) 

          if (auth()->user()->hasAccessToFile($pathToFile))
          return response()->download($pathToFile);
          else
          return 'Nope, sorry bro, access denied!';


          );


          See the File Downloads documentation.






          share|improve this answer














          If you want to restrict access to files per user based on some sort of permission, you'll need to build that permission logic yourself (StackOverflow isn't going to do your job for you), but for the sake of answering this question, let's assume you already have that permission system in place and in order to check whether the user has access, our function is hasAccessToFile which basically just does a look up based on whatever your business logic requires.



          Instead of serving all files publicly, you can serve individual files, here's a very brief example:



          Route::get('files/pathToFile', function($pathToFile) 

          if (auth()->user()->hasAccessToFile($pathToFile))
          return response()->file($pathToFile);
          else
          return 'Nope, sorry bro, access denied!';


          );


          See the File Responses documentation.



          If you need to provide downloads of the files rather than serving of them, similarly:



          Route::get('files/pathToFile', function($pathToFile) 

          if (auth()->user()->hasAccessToFile($pathToFile))
          return response()->download($pathToFile);
          else
          return 'Nope, sorry bro, access denied!';


          );


          See the File Downloads documentation.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Nov 10 at 14:19

























          answered Nov 10 at 14:14









          Stephen Lake

          1,0411123




          1,0411123











          • The part of show the file if the user has permission is not problem. But this not work if the file is on the public folder storage/app/public. How i can make it for protect a subfolder of public like storage/app/public/docs?
            – Luciano Braga
            Nov 10 at 14:42






          • 2




            Don’t use the public folder or any sub directories for protected files. If you need to display a protected image or download a file then serve it over an endpoint(route) you can control.
            – adam
            Nov 10 at 18:13






          • 1




            @LucianoBraga Adam just said it. You're not supposed to make everything public if you don't want everything to be public. If you want to serve files privately, then they cannot be accessible in storage via the public resource directory. Makes sense right?
            – Stephen Lake
            Nov 10 at 19:54






          • 1




            @LucianoBraga That's right, move them anywhere you like outside of the public directory, preferably the storage folder and if your storage folder is symlinked, you'll need to ensure the destination folder isn't publicly readable, obviously.
            – Stephen Lake
            Nov 11 at 10:50







          • 1




            OK. Thanks for all!!
            – Luciano Braga
            Nov 11 at 11:33
















          • The part of show the file if the user has permission is not problem. But this not work if the file is on the public folder storage/app/public. How i can make it for protect a subfolder of public like storage/app/public/docs?
            – Luciano Braga
            Nov 10 at 14:42






          • 2




            Don’t use the public folder or any sub directories for protected files. If you need to display a protected image or download a file then serve it over an endpoint(route) you can control.
            – adam
            Nov 10 at 18:13






          • 1




            @LucianoBraga Adam just said it. You're not supposed to make everything public if you don't want everything to be public. If you want to serve files privately, then they cannot be accessible in storage via the public resource directory. Makes sense right?
            – Stephen Lake
            Nov 10 at 19:54






          • 1




            @LucianoBraga That's right, move them anywhere you like outside of the public directory, preferably the storage folder and if your storage folder is symlinked, you'll need to ensure the destination folder isn't publicly readable, obviously.
            – Stephen Lake
            Nov 11 at 10:50







          • 1




            OK. Thanks for all!!
            – Luciano Braga
            Nov 11 at 11:33















          The part of show the file if the user has permission is not problem. But this not work if the file is on the public folder storage/app/public. How i can make it for protect a subfolder of public like storage/app/public/docs?
          – Luciano Braga
          Nov 10 at 14:42




          The part of show the file if the user has permission is not problem. But this not work if the file is on the public folder storage/app/public. How i can make it for protect a subfolder of public like storage/app/public/docs?
          – Luciano Braga
          Nov 10 at 14:42




          2




          2




          Don’t use the public folder or any sub directories for protected files. If you need to display a protected image or download a file then serve it over an endpoint(route) you can control.
          – adam
          Nov 10 at 18:13




          Don’t use the public folder or any sub directories for protected files. If you need to display a protected image or download a file then serve it over an endpoint(route) you can control.
          – adam
          Nov 10 at 18:13




          1




          1




          @LucianoBraga Adam just said it. You're not supposed to make everything public if you don't want everything to be public. If you want to serve files privately, then they cannot be accessible in storage via the public resource directory. Makes sense right?
          – Stephen Lake
          Nov 10 at 19:54




          @LucianoBraga Adam just said it. You're not supposed to make everything public if you don't want everything to be public. If you want to serve files privately, then they cannot be accessible in storage via the public resource directory. Makes sense right?
          – Stephen Lake
          Nov 10 at 19:54




          1




          1




          @LucianoBraga That's right, move them anywhere you like outside of the public directory, preferably the storage folder and if your storage folder is symlinked, you'll need to ensure the destination folder isn't publicly readable, obviously.
          – Stephen Lake
          Nov 11 at 10:50





          @LucianoBraga That's right, move them anywhere you like outside of the public directory, preferably the storage folder and if your storage folder is symlinked, you'll need to ensure the destination folder isn't publicly readable, obviously.
          – Stephen Lake
          Nov 11 at 10:50





          1




          1




          OK. Thanks for all!!
          – Luciano Braga
          Nov 11 at 11:33




          OK. Thanks for all!!
          – Luciano Braga
          Nov 11 at 11:33

















           

          draft saved


          draft discarded















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53239589%2fhow-to-secure-laravel-storage-folders%23new-answer', 'question_page');

          );

          Post as a guest














































































          Popular posts from this blog

          Top Tejano songwriter Luis Silva dead of heart attack at 64

          政党

          天津地下鉄3号線