Document server development (php)
Hi,
I've been asked to take over support for a web based document server
(all kinds of files). Currently the user lgos in using a form and
then has a list of documents displayed based on their log in. Each
item is a direct link to the document.
This works but has a fundamental security hole that I want to fix. If
you get told what the URL of the file is then you can download it
without any log in. What I'd like to do is ensure that the user is
properly logged into the system before downloading the file.
My thought is to have the documents in a directory that Apache does
not have access to. The link on the document server is then to
server_doc.php&user=me&doc=21 (properly implementing sessions rather
than passing usernames around is another security hole on the to do
list but one that is a lot easier to solve). PHP then checks the user
is logged in and authorised to see the document and serves it with
the appropriate MIME headers.
In psuedo-code what it does is:
if logged_in($user) and has_permission($user,$file_id){
$path = lookup_path($file_id)
serve_doc($path)
}
else
{
server_error_page();
}
Can anyone give me any pointers in how to implement serve_doc()?
Thanks,
--
Graham Drabble
http://www.drabble.me.uk/
date: Fri, 19 Sep 2008 18:38:12 +0100
author: Graham Drabble
|
