Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Secure a download link in Symfony 2

In my Symfony 2 project, I have a page displaying information about an entity. On this page there is also a link to a file associated to this entity.

The page is secured and it can be displayed only if the user as a specific role. The expected role is not the same for every entity so it's tested dynamicaly in the Action.

My problem is that even if the page is secured, anyone can access the file via its URL. I'd like it to be downloadable only if the role matches the one for the page display.

Any suggestion on how I should do it, or where to start looking ?

like image 574
skwi Avatar asked Mar 30 '12 08:03

skwi


1 Answers

Move the file outside of the public directory so it's not accessible via a URL. In the controller if a user has the correct permissions then allow the user to download the file.

You could use this in your controller:

$headers = array('Content-Type'     => 'application/pdf',
                 'Content-Disposition' => 'inline; filename="file1.pdf"');

return new Response(file_get_contents($file), 200, $headers); 
like image 182
Flukey Avatar answered Sep 24 '22 23:09

Flukey