Login/Register
How to secure Laravel Storage folders
Asked Answered
Solved phplaravelauthenticationstorageacl
B

2

8

In my project, I have implemented auth and ACL for my controllers and routes. I have a file upload system accessible only if the user is logged. It's work fine.

My problem is on the uploaded files. The user can access any file if have a file URL. How I can implement auth on uploaded files?

I tried with routes, but when accessing my file through the browser the file is shown as if not have a route intercepting this URL.

I have used this code:

Route::get('/storage/document/3/4a15c1ab060be8f35.png', function () {
  return 'ok';
});

How can I implement auth on specific folders on storage? Thanks!

Brownnose answered 10/11, 2018 at 13:43 Comment(0)
S
13

If you want to restrict access to files per user based on some sort of permission, you'll need to build that permission logic yourself (StackOverflow isn't going to do your job for you), but for the sake of answering this question, let's assume you already have that permission system in place and in order to check whether the user has access, our function is hasAccessToFile which basically just does a look up based on whatever your business logic requires.

Instead of serving all files publicly, you can serve individual files, here's a very brief example:

Route::get('files/{pathToFile}', function($pathToFile) {

    if (auth()->user()->hasAccessToFile($pathToFile)) {
        return response()->file($pathToFile);
    } else {
        return 'Nope, sorry bro, access denied!';
    }

});

See the File Responses documentation.

If you need to provide downloads of the files rather than serving of them, similarly:

Route::get('files/{pathToFile}', function($pathToFile) {

    if (auth()->user()->hasAccessToFile($pathToFile)) {
        return response()->download($pathToFile);
    } else {
        return 'Nope, sorry bro, access denied!';
    }

});

See the File Downloads documentation.

Supersede answered 10/11, 2018 at 14:14 Comment(9)
The part of show the file if the user has permission is not problem. But this not work if the file is on the public folder storage/app/public. How i can make it for protect a subfolder of public like storage/app/public/docs?Brownnose
Don’t use the public folder or any sub directories for protected files. If you need to display a protected image or download a file then serve it over an endpoint(route) you can control.Rude
@LucianoBraga Adam just said it. You're not supposed to make everything public if you don't want everything to be public. If you want to serve files privately, then they cannot be accessible in storage via the public resource directory. Makes sense right?Supersede
@snh Yes, make sense. I understand it, but i have files in the public folder that i want turn into private. In this case, the solution is move this files for another folder, right?Brownnose
@LucianoBraga That's right, move them anywhere you like outside of the public directory, preferably the storage folder and if your storage folder is symlinked, you'll need to ensure the destination folder isn't publicly readable, obviously.Supersede
OK. Thanks for all!!Brownnose
Looks like this is LFI vuln if you have the correct permissions, looks good but needs more logicInger
@jaquarh Possibly, but that's out of scope of OP. Perhaps you can contribute a tutorial on protecting local files?Supersede
Perhaps it would be enough to just strip any traversal attempts out of it, ie ../ but you could get creative and make something robust. Although, rightly so, far outside OPs scope, people still visit SO questions and CTRL+C CTRL+V without any thoughts on what they're putting into their application @StephenLakeInger
F
4

You can refer to my answer here. The process includes creating a new Storage Disk that saves files on /storage/app/ (not in public folder) and validating the request before serving the file to the user.

Fontanel answered 7/7, 2019 at 19:22 Comment(1)
thanks! helped me a lot...Lakitalaks

© 2022 - 2024 — McMap. All rights reserved.