Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to secure Laravel Storage folders

In my project, I have implemented auth and ACL for my controllers and routes. I have a file upload system accessible only if the user is logged. It's work fine.

My problem is on the uploaded files. The user can access any file if have a file URL. How I can implement auth on uploaded files?

I tried with routes, but when accessing my file through the browser the file is shown as if not have a route intercepting this URL.

I have used this code:

Route::get('/storage/document/3/4a15c1ab060be8f35.png', function () {
  return 'ok';
});

How can I implement auth on specific folders on storage? Thanks!

like image 789
Luciano Braga Avatar asked Nov 10 '18 13:11

Luciano Braga


People also ask

Where should I store files in Laravel?

Laravel's filesystem configuration file is located at config/filesystems. php . Within this file, you may configure all of your filesystem "disks". Each disk represents a particular storage driver and storage location.

How do I unlink files from storage in Laravel?

One way to delete a file from the public directory in Laravel is to use the Storage facade. To delete a file, you will need to follow the following steps: Step 1: Check to ensure that the folder and file exist. Step 2: Delete the required file.

How do I link my storage folder in Laravel 8?

You can link the storage folder in laravel using php artisan command and you can also run a PHP script to create a symbolic link between two folders.

Can I delete storage folder in Laravel?

To delete a directory in the Laravel application you can make use of the "deleteDirectory()" method available from the Storage facade. <? php Storage::deleteDirectory($directory); This method will delete the directory with all of its files so you must carefully ensure that you are deleting the right directory.

What is the best way to store files in Laravel?

For example, you can use the local storage system where all the files will be stored within the project itself. You can also use the SFTP to transfer files to other servers or you can utilize the Cloud Storage for storing all your files. Laravel provides the Amazon S3 or Google Cloud storage out of the box.

Where can I find the file system configuration in Laravel?

Laravel's filesystem configuration file is located at config/filesystems.php. Within this file, you may configure all of your filesystem "disks". Each disk represents a particular storage driver and storage location.

How to protect Laravel from hacking?

To prevent the Laravel for hacking, you have to un follow the direct access of the files from the webserver and hide .env file or code from the server. Why do we protect the .env file?

How do I transfer files from one Laravel server to another?

You can also use the SFTP to transfer files to other servers or you can utilize the Cloud Storage for storing all your files. Laravel provides the Amazon S3 or Google Cloud storage out of the box. In Laravel, we call all these storage types as disks, think of file storage and label it as a disk in Laravel.


2 Answers

If you want to restrict access to files per user based on some sort of permission, you'll need to build that permission logic yourself (StackOverflow isn't going to do your job for you), but for the sake of answering this question, let's assume you already have that permission system in place and in order to check whether the user has access, our function is hasAccessToFile which basically just does a look up based on whatever your business logic requires.

Instead of serving all files publicly, you can serve individual files, here's a very brief example:

Route::get('files/{pathToFile}', function($pathToFile) {

    if (auth()->user()->hasAccessToFile($pathToFile)) {
        return response()->file($pathToFile);
    } else {
        return 'Nope, sorry bro, access denied!';
    }

});

See the File Responses documentation.

If you need to provide downloads of the files rather than serving of them, similarly:

Route::get('files/{pathToFile}', function($pathToFile) {

    if (auth()->user()->hasAccessToFile($pathToFile)) {
        return response()->download($pathToFile);
    } else {
        return 'Nope, sorry bro, access denied!';
    }

});

See the File Downloads documentation.

like image 168
Stephen Lake Avatar answered Oct 18 '22 00:10

Stephen Lake


You can refer to my answer here. The process includes creating a new Storage Disk that saves files on /storage/app/ (not in public folder) and validating the request before serving the file to the user.

like image 39
Abdelsalam Shahlol Avatar answered Oct 18 '22 00:10

Abdelsalam Shahlol