Jump to content

File Access

hackalive

By hackalive
in PHP Coding Help

 Share

Recommended Posts

hackalive Advanced Member

hackalive

Posted
Posted

Hi guys,

 

I am making a site where users upload files (like images, pdfs, etc) to the server.

 

My question is, how does Facebook handle file permissions, restricting access to files uploaded to their servers based on what a user sets?

Because I need to implement a similar thing and have no idea how to do it in a clean way.

 

I have had two thoughts on storing the files 1) in a DB or 2) in a folder out of the wwwroot, which would prevent access by anyone without knowing the path (or some such) but it is the more "real" permissions implementation I am stuck on.

 

I obviously would like to achieve this with PHP and MySQL(i).

 

Any help is much appreciated.

 

Cheers in advance.

Link to comment
Share on other sites
smerny Advanced Member

smerny

Posted
Posted

facebook doesn't block access to the images, but rather access to the page the image is on... so if you have the url (which includes a bunch of random looking numbers) of the actual image you will be able to see it without any kind of permissions.

 

you'd probably want to set up a table that includes the path to the file along with fields of who it belongs to and what permissions are and such... you could get a hash or something to change the name of the file... just make sure you include that in your table as well so you can reference it.

 

then when a person goes to the page that the image/file is on... you could have a function like "userHasAccess()" which could check against the permissions table and other tables if necessary.

 

the following could all be figured by just that file table with fields like owner, restriction_level, file_url, etc:

* if it's the owner of the file, allow

* if the file is unrestricted, allow

* if the file is restricted and the user is not the owner, disallow

 

then you could get into more things like if the restriction_level means "only friends can view", you could check the friends table to make sure that connection is there... if it is, allow, if not, disallow.

 

and by allow or disallow... here is a simple example of what that means:

 

if(userHasAccess()){
  //show the page with the file and stuff
}
else
{
  //inform user that they do not have access to this content
}

Link to comment
Share on other sites
hackalive Advanced Member

hackalive

Posted
  • Author
Posted

@smery:

Thanks for pointing out how Facebook does it and how i could something else (better) to achieve what I am after.

 

So if I was to store all my files outside the wwwroot and rename them on upload to a hashtag (of some from), then store that hashtag in a table which also has the permission (of say 1 - which allows uploader to see it) that would solve my issue :)

 

I think i have interpreted that right :)

 

My next point (question) is, would this be efficient on a large scale? Or could I make it more efficient in some way?

 

Thanks again smerny for your help so far.

Link to comment
Share on other sites
freelance84 Advanced Member

freelance84

Posted
Posted

 

All facebook rely on (correct me if i'm wrong) is an 'outsider' not knowing the actually location of the image. If you know the actual location of any image on facebook you can view the said image without being logged in, check out this link for example: http://a6.sphotos.ak.fbcdn.net/hphotos-ak-ash4/423751_338195096215603_224132780955169_874059_1469222108_n.jpg

 

The only problem of course is that the big long file name appears to bare no reference to the picture (to the outsider of course). If you place any image out of the web root then your browser simply cannot get to it as there is no valid path to..

 

If you wanted to place the image out of the webroot to be sure only certain people could view it, you would then need to write a php script to read the said image and spit it out to the specific user... but get enough people using your site and your server might start to struggle if every image had to be processed through php all the time.

 

 

Link to comment
Share on other sites
smerny Advanced Member

smerny

Posted
Posted

So my absolute final question would have to be how to make such a unique hash value?

 

I found this: http://php.net/manual/en/function.uniqid.php

 

What do you think? Better ways of doing it?

 

yea you could do something like the example there... then just check that another image hasn't already taken it (which is extremely unlikely)... if it's already taken make a new one..

 

then name the file that and set up a reference to that file

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.