CakePHP: Access private folders after authentification - cakephp

I'm looking for a CakePHP best practice to serve folders/files to clients after they are authentificated. I know it's simpler to use a .htpasswd/.htaccess based solution but i wonder for a better way.
What is it for?
I want to create a client-area where authenticated clients can see contents of there private folder(s). E.g. to test some static html templates before CMS Integration or upload some documents like commented screenshots or pdf files.
A usecase could be:
Create a new client (only by admin)
Generate Login credentials for different user of the same client
Create a new client folder (only by admin)
Upload some static html to the client folder
After login the client can access the folder and view the html
After logout access to the static files is restricted
Any suggestions?

Do you know about CakePHP's "Media Views"? I think that you might be able to do what you want with them.
quick & dirty example...
public function serve($filename = null) {
if($filename && $this->Auth->user()) {
$this->viewClass = 'Media';
$params = array(
'id' => $filename, // full filename
'name' => 'example',
'download' => FALSE, // true, then you get a download box
'extension' => get_the_file_extension($filename),
'path' => APP . 'outside_webroot_dir' . DS
);
$this->set($params);
} else {
// redirect to login or something
}
}

I think the easiest way is to use a database structure for this.
The files are stored on the server anyway, where does not matter.
This is how you do:
Create a table in the database called DataFile (due "File" causes problems with the Cake "File" class). Fields should be something like: id, data_folder_id, name, size, mime_type etc. Use what fits your needs.
Create a table in the database call DataFileFolder. Fields here: id, parent_id, name, visible. Same as above, whatever fits your needs.
Create an association key in the client table or a whole assocation table if needed. (For example: one client and 50 folders in different places). Be aware of the assocation you create. If you use Client->DataFolder the client has automatically access to all files within that folder.
Bake models and a FileController with an index frontend method and admin actions as well as views.
Optimize admin methods for creating either a file or a folder record.
The index method for the frontend has one parameter which represents the folder id. You output each an every folder and file in the folder starting with the first the user is allowed to access. You could also just ouput a list of folders the user is allowed to access in case these folders are on different levels of the new "file manager". You have to check permission on each an every new page call for the given folder id. But that's clear, i think.
Implement a download method for the files based on the media view mentioned above. This should be it.
I think this is the best and easiest way to control the access for such folders.
Due there are some limitations if it is not your server by post_max_size etc. you should maybe think about an external script (or write it on your own if you have the time ;)) to load those file over ftp.
You could also think about a folder accessible on your ftp to upload files. In the "new file" dialog in backend this folder will be outputted and you can include the file into the system by just copying it (via PHP of course). Advantage: only one upload (though it only be two if you are using the ftp upload method mentioned before this).
If you are just into sharing files with clients and those clients are not going to have access on anything else based in your cakephp project just use ftp with a folder for each client. Faster and easier to handle because you can send them urls like "ftp://username:password#yourserver.com" and done. They are logged in, they can view the html files due they are accessing the ftp via the browser and it should be noob safe.
Hope anything of this will feed your needs :)
Greetings
func0der

Related

HTML5 Database Use without Server

Is it possible to use a local database file with html5 without using a server. I would like to create a small application that depends on information from a small database. I do not want to host a server just to pull information. Is it possible to create a database file and pull information from the local files ?
Depends on the following:
The type of application you want to build:
Normal website with some data being pulled from a local storage;
Special purpose hosted website / application with data generated by the user;
Special purpose local application with a dedicated platform (a particular browser) and with access to the browser's non-web API -- in order to access the browser's own persistent storage methods (file storage, SQLite etc.);
Special purpose local application with a dedicated environment -- in order to deploy the application with a local web server and database;
Available options:
Indexed DB
Web Storage
XML files used for storing data and XSLT stylesheets for translating the data into HTML;
Indexed DB and Web Storage ar available in some browsers but you need to make sure the targeted browsers have it. Their features aren't quite as complete and flexible as SQL RDBMSs but they may fit the bill if your application doesn't need all that flexibility.
XML files can contain the data you want to be shown to the user and they can be updated manually (not by the user) or dynamically (by a server script).
For dynamic updating the content of the XML is kept in JavaScript and manipulated / altered (using the XML DOM) and when the session is over the XML content is sent to the server to entirely replace the previous XML file. This works OK if the individual users have a file each and they never write to each other's files.
Reading local files:
Normal file access is prohibited (for security reasons) to all local (JavaScript) code, which means that "having" a file locally implies either downloading it from a known source (a server) or asking the user to offer access to a local file.
Asking the user to offer access to a local file which implies offering the user a "file input" -- like for uploads but without actually uploading the file.
After a file has been selected using FileAPI to read that file should be fairly simple.
This workflow would involve the user "giving" you the database on every page refresh -- but since it's a one page thing it would mean giving you the data on every session as long as your script does not refresh the page.
You can use localstorage but you can run a server from your own computer. You can use Wamp or Xampp. Which use Apache and mysql.
What i'm looking for is a little more robust than a cookie. I am making a web application for a friend that will be 1 page, and have a list of names on the page. The person wants to be able to add names to the list, however they do not want to use a web server. Just want the files locally on a computer so a folder called test-app , with index.html, and possibly a database file that can be stored in the web browser or a way to save information to the web browser for repeated use.

Per File access Control on Drupal 7 Content

Is there a way to restrict content download "Restricting Anonymous Users From Downloading Files"
Right now, once the user is logged in and he is able to obtain the URL to a path, he can re-download it again even if he logs off.
We've tried
-Rules Module and Content_Access Module to no avail.
it only supports:
Basic Rules per node
There's no
Basic Rules per Content (i.e. videos)
You can control access to files via Drupal only if both conditions are met:
private mode is on (see /admin/config/media/file-system)
Download folder is outside web server access, i.e. file upload folder contents are not accessible from the web.
See hook hook_file_download() which is called for every private file.
Control access to private file downloads and specify HTTP headers.
This hook allows modules enforce permissions on file downloads when the private file download method is selected. Modules can also provide headers to specify information like the file's name or MIME type.

use common database class with restler API

I copied DB/PDO/MySQL.php from the crud example and put that directory structure in one of my API directories (and made changes for use with my database).
The API structure is myapi/artists (so the db stuff is myapi/artists/DB/PDO/MySQL.php) and I have index.php and Artists.php with the Artists API class.
so now I call $this->dp = new DB_PDO_MySQL(); in the Artists class and that works.
But I'd like to be able to use some common db functions across multiple API classes and have been unable to get the db stuff to work unless it is inside each API directory.
I tried putting myapi/DB/PDO/mysql.php under the vendor directory and edited AutoLoader.php to add an alias for 'myapi\DB\PDO' but that didn't work.
So, the question is, how do I configure things so I can share some common db code?
Assume I will have multiple API subdirectories under myapi directory (and myapi is at the same level as the examples directory).
Keep the MySQL.php file in vendor/DB/PDO folder. Then you dont have to edit AutoLoader.php

only logged in users can play audio from our server

We have made a silverlight application where users can preview audio files from their browser from the telerik radmediaplayer control.
The files are on a webserver and anyone who sniffs the trafic can download the file.
We would like to prevent non-logged-in users from accessing/downloading these files.
Besides providing the application with some sort of temporary valid url and implementing a custom httphandler... what are our options?
It's not too big of a problem if our customers can download the files, we just don't want the rest of the world to also have access.
Any ideas would be more than welcome!
[Update]
The only thing I can come up with is:
host the files in a non-public folder
if a user requests to prelisten a file, copy it to a public folder under a new name ([guid].mp3) and return it's url
every x minutes clean the public folder.
Don't let the web server serve up the files straight out of a directory. Put part of your application in front, and left one of your server-side scripts serve up these files. Keep the raw audio files out of the web root.
For instance, your client-side application would access files like so:
http://someserver/yourscript?audio_asset_id=12345
The code at yourscript would verify the session data, ensuring that a user is logged in, would then go figure out the real path to asset ID 12345, and echo its contents to the client. Don't forget to include the proper Content-Type header as well.
Once the accessing of these assets is under your control, you can implement whatever security measures you like. If your sessions area already pretty well safe-guarded, this should be fine. I would also recommend implementing sane quotas. If you get 100 requests on an asset using the same session ID from multiple IP addresses... something isn't right.

How to download a file from CakePHP?

I'm working on a College Application project.
I want to ask how to download the files that previously uploaded by user.
Here's the clear view :
User will upload the files.
Controller will handle the request and save the name of the files into database.
How admin can download the file ???
I try to access the localhost/system/files/upload.doc but doesn't got any luck.
Consider using Media views: http://book.cakephp.org/1.3/view/1094/Media-Views
These will allow you to go to a path and load the database information about the file and then present the file with necessary download headers to the user.
yes use media views. They are the best way to keep your files from being publically accessible. So an admin can be "Served" the file and others can not get to them .
You can rename the file and things like that as you serve it to the user as well. Very nice feature of cake.

Resources