httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ralph Crongeyer" <rcronge...@oceaneering.com>
Subject Re: [users@httpd] Apache authentacation on a pre file basis?
Date Fri, 05 Mar 2004 18:18:12 GMT
Thanks for the help Joshua.

All of the links are stored in a database (the path in one field and the
filename in another) and the links are created from the database
enterys. So if I put in PATH NAME /var/data  And in FILE NAME file1.pdf,
and then click on the link I get:

Not Found

The requested URL /var/data/file1.pdf was not found on this server.

So how do I get php to serv up the files from a "non-web-accessible
area"?

Ralph

>>> joshua@slive.ca 03/05/04 12:58 PM >>>


Ralph Crongeyer wrote:

> Hi all,
> 
> I'm wondering if there is a way to do this:
> 
> I need Apache to check my existing database to see if the user is
> permited to view the file (usually a .pdf file).
> 
> Currently the setup is via webpages/php a user logins into the
> application and can only see what his/her group is allwoed. For
instance
> when the user clicks on a link a query is run and they are presented
> with a list of files that there group is permited to see. They can
> simply click on the link and view the file. Sometims more than one
group
> can see the same files. This is fine, accept, if the user knows where
> the files are stored they may be able to bypass the "group security"
and
> see files that the web interface wouldn't normally allow them to.
> 
> How could this be best accomplished?

The application that is doing the authentication (php in this case) must

deliver the file directly, rather than just linking to an uprotected 
part of the web space.  In other words, keep the pdf files in a 
non-web-accessible area and have your php script read them from there 
and send them to the client.

This is not a very nice solution, since it will probably destroy the 
ability to byte-server, use sendfile, etc, but I don't know of any other

way.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message