限制用户子目录 [英] limiting users to subdirectories
问题描述
我有用户的子目录中,我想限制每个子文件夹到该用户只。
例如我有 /用户/用户1 在这里我要保护的用户1 文件夹,以便只有用户1可内部访问这些文件。
我试图玩弄一个.htaccess和htpasswd的文件,但我得到提示登录,即使我已经验证针对MySQL数据库的第二次。
我不知道该怎么做主要有第二个日志中的请求自动处理,因为用户将进行身份验证previously。
我可以张贴一些code,我有我的.HT文件,但我认为这可能信息让球滚动。
我觉得用一个PHP代理来访问这些文件足以在这种情况下,沿着线的东西:
的download.php
< PHP
/ **装入用户假设$用户** /
$文件=修剪($ _ GET ['文件']);
/ **消毒的文件名在这里** /
如果(真=== file_exists('/用户/用户'$用户自>。ID'/'$文件)){
//从http://php.net/manual/en/function.readfile.php
标题(内容简介:文件传输);
标题(内容类型:应用程序/八位字节流);
标题(内容处置:附件;文件名=$文件。');
标题(内容传输编码:二进制');
头('过期:0');
标题(缓存控制:必重新验证,后检查= 0,pre-检查= 0');
头('杂注:公开');
标题(内容长度:文件大小($文件));
ob_clean();
冲洗();
ReadFile的($文件);
出口;
} 其他 {
抛出新的异常(未找到文件);
}
的.htaccess 要拒绝所有直接下载文件
所有否认
您会然后通过使用/download.php?file=filename.ext链接到文件夹,这将仅下载从当前用户的用户目录文件
您会想,以确保您清理输入文件名,所以你不容易受到目录横向的攻击。</ P>
I have a subdirectory of users that I want to limit each subfolder to that user only.
For example I have /users/user1 where I want to protect the user1 folder so that only user1 can access the files inside.
I tried playing around with an .htaccess and .htpasswd file, but I get prompted to log in a second time even though I have authenticated against a MySQL database.
I'm not sure what to do to basically have the second log in request automatically handled since the user would be authenticated previously.
I can post some code that I have for my .ht files, but I thought that this info could get the ball rolling.
I think that using a php proxy to access the files would be sufficient in this case, something along the lines of:
Download.php
<?php
/** Load your user assumed $user **/
$file = trim($_GET['file']);
/** Sanitize file name here **/
if (true === file_exists('/users/user'.$user->id.'/'.$file)) {
//from http://php.net/manual/en/function.readfile.php
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="'.$file.'"');
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
exit;
} else {
throw new Exception('File Not Found');
}
.htaccess To deny all direct file downloads
deny from all
You would then link to the folders by using /download.php?file=filename.ext and it would only download that file from the users directory of the current user.
You'll want to ensure you sanitize the input file name so you're not vulnerable to directory transversal exploits.
这篇关于限制用户子目录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
