Friday, May 24, 2013

Re: Directory Protection

I will say you should start to protect image folder with first level protection which is Apache htaccess rules. There are a lot of pages providing rules to be writen in htaccess file. The second thing maybe will be to think on some key generated name for images, so, instread of pic_1000.jpg (user id 1000) to write some random pic_mmxeffqyYZ1rn0oofo1_500.jpg name ( for example like tumblr.com does ), so no one can guess what is associated with.

Here is a nice article/list about image protection:
http://www.naturefocused.com/articles/image-protection.html

For testing you can create a subdomain on you website like img.yourdomain.com and to play directly / testing the rules that you want to implemet there, and set root folder for img.yourdomain.com like /app/webroot/img/uploads/ .

On Friday, May 24, 2013 6:52:38 AM UTC+2, advantage+ wrote:

The point is for example (not comparing to Facebook / or any site that has images / files) but you cannot go to facebook.com/profiles/uploads/images and view all images its protected, server gets image location  and sends it out to the "view" when needed.

 

I do not want the folder "files" are uploaded to be accessed.

If I put the"upload"  folder outside webroot CakeRequest::file just spits out the image / file to the browser….. I do not want that.

 

I need to pull from the folder and display it as if it was coming from img folder as normal.

 

You do not want anyone to go to site.com/img/uploads/ and have full access to browse thru all your files / images / uploads

 

 

 

From: cake...@googlegroups.com [mailto:cake...@googlegroups.com] On Behalf Of André Luis
Sent: Thursday, May 23, 2013 9:27 AM
To: cake...@googlegroups.com
Subject: Re: Directory Protection

 

Just a suggestion, but why dont you create a images folder on the root of the server, them create a controller wich read the image and outputs to browser? It would be protected...

 

It would be like you create /app/images and upload the files to this folder, them only cake would have access, but for a better security, the root folder is advised. 


Em quarta-feira, 22 de maio de 2013 23h08min56s UTC-3, advantage+ escreveu:

I have an" img/uploads" folder which has users profile images and such.

 

How do you go about protecting the folder so there is no access except when Cake gets the images?

So anyone can't just browse thru the directory?

 

Google search turned up MediaView so put the uploads outside of webroot, but
" As of 2.3 MediaView is deprecated and you can use CakeResponse::file() to send a file as response:"

 

Should it be set to use CakeResponse::file($path, $options = array())

Allows you to set a file for display or download

 

If so is there a simple example out there showing exactly how this would get the files and server it up?

 

$image = CakeResponse::file('where/file/is/here.jpg, $options = array())

$this->Controller->set('image', $image);

 

Thanks,

Dave

 

--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
 
---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+u...@googlegroups.com.
To post to this group, send email to cake...@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
 
---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscribe@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

No comments: