[FX.php List] [OFF] Restricting web directory/downloads via FM?
Kevin Futter
KFutter at sbc.vic.edu.au
Wed Jul 28 17:03:08 MDT 2010
Thanks Leo. We do all our online authentication via AD and LDAP, so it's
just a matter of writing that into a session. We're looking at providing
online access for parents to their sons' school reports, but it's obviously
crucial that they can't access anyone else's, and vice versa!
Not sure when I'll get time to look at this, but I have a few more months
until the next reporting period.
Kev
On 29/07/10 8:57 AM, "Leo R. Lundgren" <leo at finalresort.org> wrote:
> Sure, no problem! I suggest you start by making a basic solution like the one
> described with a script that 1) takes a username and password and checks the
> database, 2) readfile()'s the file if the authentication is successful.
>
> Either you could make the script get all three parameters (username, password,
> filename) in one go (the client would have to make the link include the
> parameters in the URL), or you could make the script first present a login box
> and then do the above when the user submits the form on it.
>
>
> 29 jul 2010 kl. 00.49 skrev Kevin Futter:
>
>> I have a forthcoming need to do something similar to this too, so I
>> appreciate your response here Leo. Any additional info would also be
>> appreciated!
>>
>> Kev
>>
>> On 29/07/10 8:20 AM, "Leo R. Lundgren" <leo at finalresort.org> wrote:
>>
>>> Did you Google any of this? There's a ton of information out there on this
>>> essential functionality.
>>>
>>> There are many ways to do it. First of all you need the authentication,
>>> which
>>> you can do upon request, firing a query to the database, or by caching
>>> information so you don't need a trip to the database for each request.
>>>
>>> Then you need a way to protect the files. The obvious solution is to have
>>> them
>>> placed in a directory that is not directly accessible from the web (for
>>> example by having a "deny from all" in Apache's rules, which could be in a
>>> .htaccess, or some equivalent measure in other web servers).
>>>
>>> Then to bind this together you could write a script that processes the
>>> request
>>> and readfile()'s the requested file if it exists and the user provided valid
>>> credentials. If the files are big readfile() might not be that fun to use
>>> since it literally relays the entire file using PHP, but there are other
>>> ways
>>> to do it in that case. One example is to make the web server protect the
>>> files
>>> by asking your PHP script for authentication, and if the auth succeeds the
>>> web
>>> server sends the file instead of PHP, which is more effective.
>>>
>>> The readfile() method probably works as a start though, depending on your
>>> file
>>> sizes and the number of requests you'll get. As you say its PDF files I
>>> suppose they won't be that huge :)
>>>
>>> -|
>>>
>>> 29 jul 2010 kl. 00.03 skrev Joel Shapiro:
>>>
>>>> Hi all
>>>>
>>>> I've got a new client that would like to make some downloadable materials
>>>> (mostly PDFs) available to their authorized users. The client would like
>>>> to
>>>> be able to upload files to some directory on their site and have only
>>>> logged-in users (authenticated via FMP "users" table) be able to view
>>>> and/or
>>>> download them.
>>>>
>>>> Anybody have any thoughts on the best & simplest way to do this? (or are
>>>> best and simplest mutually exclusive? ;)
>>>>
>>>> I've thought of giving the client access to edit an html page with links to
>>>> each of the downloadable files -- and I'd make that page accessible only to
>>>> logged in users. Are there easy ways to avoid having the client have to
>>>> update html and hrefs?
>>>
>>> _______________________________________________
>>> FX.php_List mailing list
>>> FX.php_List at mail.iviking.org
>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>
>>
>> --
>> Kevin Futter
>> Webmaster, St. Bernard's College
>> http://www.sbc.vic.edu.au/
>>
>> This e-mail and any attachments may be confidential. You must not disclose or
>> use the information in this e-mail if you are not the intended recipient. If
>> you have received this e-mail in error, please notify us immediately and
>> delete the e-mail and all copies. The College does not guarantee that this
>> e-mail is virus or error free. The attached files are provided and may only
>> be used on the basis that the user assumes all responsibility for any loss,
>> damage or consequence resulting directly or indirectly from the use of the
>> attached files, whether caused by the negligence of the sender or not. The
>> content and opinions in this e-mail are not necessarily those of the College.
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>
>
>
> -|
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
--
Kevin Futter
Webmaster, St. Bernard's College
http://www.sbc.vic.edu.au/
This e-mail and any attachments may be confidential. You must not disclose or use the information in this e-mail if you are not the intended recipient. If you have received this e-mail in error, please notify us immediately and delete the e-mail and all copies. The College does not guarantee that this e-mail is virus or error free. The attached files are provided and may only be used on the basis that the user assumes all responsibility for any loss, damage or consequence resulting directly or indirectly from the use of the attached files, whether caused by the negligence of the sender or not. The content and opinions in this e-mail are not necessarily those of the College.
More information about the FX.php_List
mailing list