限制访问Assets .pdf .jpg

时间:2010-06-30 04:26:48

标签: pdf

我希望用户能够上传.pdf和图像,并根据用户的权限限制对这些文件的访问。有没有人做过类似的事情? 我想到的附件的基本计划是控制器检查用户是否有权查看文档或文件。如果他们具有检索和显示文档的权限。

我的.htacces文件将包含

 #Removes access to the secure_files folder by users.
 RewriteCond %{REQUEST_URI} ^secure_files.*
 RewriteRule ^(.*)$ /index.php?/$1 [L]


    ------
    -SQL
    ------

    ------
    - create files table
    -----
    CREATE TABLE `files` (
    id INT NOT NULL AUTO_INCREMENT,
    file_name VARCHAR(50) NOT NULL,
    PRIMARY KEY('id')
    );

    ------
    - create files table
    -----
    CREATE TABLE `privileges` (
    uesr_id INT NOT NULL,
    file_id INT NOT NULL,
    );

    ------
    - create users table
    -----
    CREATE TABLE `users` (
    id INT NOT NULL AUTO_INCREMENT,
    name VARCHAR(20) NOT NULL,
    email VARCHAR(50) NOT NULL,
    password CHAR(40) NOT NULL,
    PRIMARY KEY('id')
    );

    /*
    * pseudo-Codeigniter code. I can edit this to make 
    * it pure PHP if that would be more helpful 
    *
    */
    public function get_user_files($filename)
    {
       //this is set during login
       $user_id = $this->session->userdata('user_id');

      //check to see if the user has privileges to access the file and gets the file name
      $query = $this->db->join('privileges','privileges.id = files.id')
                     ->select('files.file_name')
                     ->where('privileges.user_id',$user_id)
                     ->where('files.file_name',$file_name)
                     ->limit(1)
                     ->get('files');

    $file = $query->row()->files.file_name;

   if($file)
   {
    //user has privileges to access the file so include it

    //WHAT DO I DO HERE!?!
    //start Would this work?
    $handle = fopen($file, "rb");
    $data['file'] = fread($handle, filesize($file));
    fclose($handle);
    //end would this work?
   }
  $this->load->view('files',$data);
}

2 个答案:

答案 0 :(得分:1)

一个简单而安全的解决方案是使用以下架构。这将允许您限制对上载文件的访问,并避免上载.php文件的问题。文件大小的上限是长度为16mb的longblob。 

CREATE TABLE `files` (
id INT NOT NULL AUTO_INCREMENT,
user_id INT NOT NULL,
file_name text NOT NULL,
file LONGBLOB NOT NULL,
PRIMARY KEY('id')
);

这是上传文件的PHP代码:

$user_file=file_get_contents($_FILES['user_file']['tmp_name']);
//Make the file binary safe
$user_file=mysql_real_escape_string($user_file);
$file_name=mysql_real_escape_string($_FILES['user_file']['name']);
$user_file=mysql_real_escape_string($user_file);

mysql_query("insert into files (user_id,file_name,file)values ("$_SESSION[user_id]","$file_name","$user_file");

可以通过检查文件的user_id来强制执行访问控制。用户文件的content-type很容易被欺骗,因此不要信任$_FILE[name][type],但是当您让用户下载文件时,这必须是正确的类型。例如,pdf应具有此内容类型。 header('Content-type: application/pdf');

答案 1 :(得分:0)

为什么不将它们放在一个.htaccess阻止所有访问的目录中,并使用php脚本发送相应的头文件,检查权限然后用readfile函数吐出文件内容?

相关问题
最新问题