yeah that's what I intend to do. I used your Uploader to upload files
for testing purposes, this works well, BUT I think that the allowed
mimetypes are not working as they should. I can upload ANY file,
although I allowed only JPEG and GIF to the plugin. That's a bit
weird, but I'm sure I'll find out why this is happening.
Let's assume we have done the work for uploading the files, store the
files with a unique name in a separate folder etc. but HOW can I
prevent a user getting files from other users? I think at the moment
every user can just type in a filename and if it's there, he will be
able to download it, no matter if it belongs to that user or not.
I've seen several solutions to this issue, mostly there is a php-
action involved (let's say download.php?filename.ext) where the
permission for the user is checked.
But there has to be a cake-style solution to this, right? In my DB I
store the user_id to every file that's uploaded, so I can check by
$this->Auth->User('id') wether the file belongs to the requesting
user, or not. But the direct download is not prevented.
Would a certain entry in the ROUTES.PHP file bring any help to that?
Maybe to redirect every request to the folder webroot/files to an
action that checks the permissions or sth. like that...?
I know it's kinda hard to understand what I mean, but if I see once
how to to such things, I won't bother you guys anymore, I swear :)
Regards,
DD
On 31 Aug., 18:11, Miles J <mileswjohn...@gmail.com> wrote:
> Yeah but thats pretty pointless if your just uploading images.
>
> But yes what you said would be the ideal situation if you want to do a
> download system, or supply files to users.
>
> On Aug 31, 4:56 am, Stinkbug <justink...@gmail.com> wrote:
>
> > There is one thing to keep in mind when uploading files and that's the
> > security risks in uploading files to the webroot where people can
> > access them directly. It's generally recommended to upload files to a
> > directory outside of the webservers document root and give them a
> > unique name, so that the file can't be accessed directly. Store a
> > reference in the database as a pointer to the file on the file
> > system. Then you can use Cakes Media view to access the file.
>
> > This helps prevent people from uploading a malicious file and then
> > executing it on the server. On top of that you can do all kinds of
> > server authentication or even use the ACL to grant proper permissions
> > to the files.
>
> > On Aug 30, 10:51 am, DigitalDude <e.blumsten...@googlemail.com> wrote:
>
> > > Hey,
>
> > > in my first "real" and own project, I want to implement the ability to
> > > upload files to a user's account. The filetypes I need to be able to
> > > upload are:
>
> > > - PDF
> > > - JPG
> > > - GIF
> > > - PNG
> > > - XLS
> > > - DOC
> > > - OpenOffice Documents
> > > - ZIP
> > > - RAR
>
> > > Before I start to implement a file-uploading action, I need to
> > > consider what are the security-risks of fileuploads in general, and in
> > > case of any of the listed filetypes above.
>
> > > What are the dangers of these filetypes, abd how can I prevent myself
> > > and my server from getting in danger?
>
> > > Regards,
>
> > > DD
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
No comments:
Post a Comment