From: "Bob McConnell" on
From: Rene Veerman

> the "proper way" i know of is not the easiest to implement..;
>
> 1) create a php script that accepts enough parameters to get at your
data.
> eg: /products/view.php?dataNr=1&itemNr=1
> 2) let that script compare the current user (visitor who's logged in)
> to authentication data that tells which it if the user can access the
> data requested. if it fails, you can route the user to a std page or
> to a custom page (store in auth-data under "onFail")
> 3) use apache's RewriteRule in /products/.htaccess to point virtual
> urls to the view script; /products/data1/item_1/data.txt =
> /products/view.php?dataNr=1&itemNr=1&file=data.txt (or something like
> that).
>
> the main problem here is how to properly store authentication data.
> how far to go depends on your (future) requirements.

There are some easier tricks, but still not simple. Only the wrapper
script should be in the webroot space. Everything else should be outside
of it, but accessible by the user that the web server runs under. The
wrapper also manages the session and any other access controls
necessary, such as connections to a DB server. Once you parse the
parameters from the URL, use require() or require_once() to link in the
specific pages you need from outside webroot. This way none of the files
or paths are exposed to the browser and nobody can get to those pages
without going through the authentication in the wrapper. You can even
pull in more than one, so there could be one file for the banner, one
for the menu tree on the left column, one for a header, one for the page
specific content and one for the footer. It makes global updates
relatively easy, but can be a pain to get started.

Bob McConnell
From: clancy_1 on
On Fri, 19 Feb 2010 13:19:50 -0500, stroh(a)astroh.org (Michael Stroh) wrote:

>I have a site I'm working on with some data that I want to be readable by anyone, but some files that I want to keep hidden from outside users. Here is an example of my file structure.
>
>/products/data1/item_1/data.txt
>/products/data2/item_2/data.txt
>
>I would like everything in data1 to be available by anyone who visits the site, but I want to keep items in the data2 folder to only be accessible through certain web page which I hope to eventually require logins. Some of these items I'd like to not only display but also allow people to download.
>
>My main concern is that I don't want people to be able to guess the names of the files and then be able to access the information on them. Every 'item' has an entry in a MySQL database which holds some information. I was thinking I could have randomly generated folder names to take the place of the things like 'item_2' such as
>
>/products/data2/kl23j42i/data.txt
>
>and then link the folder name through a database entry. But I'm not sure if there are more elegant or easier ways to deal with this. Plus someone could still just try randomly querying the site until they get a match. I'd first like to just create a web page where you can go to access the hidden files but would later like to add more control for other users using logins and passwords.
>
>Most of my files are just text files and images. Any suggestions?
>
>Thanks in advance!
>
>Michael

I have been working on a website engine for some time, and have recently been addressing
these problems. The website layout is specified by textbased data files, with a separate
entry for each item on the page. These may be links to subdirectories or even other
websites, links to further index pages or links to individual items.

Users are divided into groups, e.g. Guest, Admin, or Manager, and each data file has a
field specifying who is allowed to use it. Each entry has a similar field, and when a data
file is being loaded the loader checks that the current user has permission to access it
before allowing the file to be loaded, and then as it processes each item in the file it
checks if the user has permission to view this item, and if not skips it. This means that
the user only sees the items he is entitled to see. There is nothing to indicate that
anything is being hidden from him.

At present I only have one allowable group for each file or item, and permit individual
users to belong to multiple groups (as set up by the administrator). On reflection it
would probably be better to assign each user to a single group, and allow multiple groups
to be given access to the file. At first I simply assigned each user a privilege level; 0,
1, 2, .. , but this prevented giving some user groups access to some areas of the website,
and other user groups access to others.

Each website has one area containing data, and a separate one containing the engine (which
has all the code). The data area also contains a small file index.php, which sets up site
dependent parameters, and then hands access to the engine. I have several different
websites sharing the same engine, and this means both that the individual websites can
specify different configuration files and security requirements. One website can be fully
accessible, another only accessible after the user is logged in, and another can have some
areas only accessible through a hidden log in.

I use parameters to specify which page to be loaded, but I've recently realised that this
is a significant security hole, as the parameters are readily visible, and convey a lot of
information about the structure of the site. On second thoughts it would have been better
to specify the various directories and files by numbers.

The engine is in a separate directory which is not under the root, so it is not readily
accessible, but I wanted the photos to be able to be bookmarked, which meant that they had
to be under the root, and I put the data files with them for simplicity. However this
means that they can also be downloaded, so I will have to move them to a different
location, as some of them contain valuable information. Fortunately the way the engine is
designed makes this reasonably simple to do.

You can see a very simple demonstration website at

http://www.cydalba.com/?new=1.

At present this is set up so that part of the website is only accessible by hidden log in.
If you access it via

http://www.cydalba.com/?new=1&action=log_in

you will be asked to log in, which you can do as 'Guest', with password 'Mandy17'. Some
more of the website will then be accessible.

Clancy

From: Kim Madsen on
Michael Stroh wrote on 19/02/2010 19:19:
> I have a site I'm working on with some data that I want to be
> readable by anyone, but some files that I want to keep hidden from
> outside users. Here is an example of my file structure.
>
> /products/data1/item_1/data.txt
> /products/data2/item_2/data.txt

since no one has suggested it then... if you're on an Apache webserver
use a .htaccess file in data2 which contains:

Deny from all
Allow from none

That will do the trick and PHP can still fetch the files in data2 and
serve it to the user.

--
Kind regards
Kim Emax - masterminds.dk
From: Nathan Rixham on
Kim Madsen wrote:
> Michael Stroh wrote on 19/02/2010 19:19:
>> I have a site I'm working on with some data that I want to be
>> readable by anyone, but some files that I want to keep hidden from
>> outside users. Here is an example of my file structure.
>>
>> /products/data1/item_1/data.txt
>> /products/data2/item_2/data.txt
>
> since no one has suggested it then... if you're on an Apache webserver
> use a .htaccess file in data2 which contains:
>
> Deny from all
> Allow from none
>
> That will do the trick and PHP can still fetch the files in data2 and
> serve it to the user.
>

Glad you said this; I'd been waiting to see if anybody would - certainly
there is no quicker or easier way to solve this particular problem.

Also worth adding that you can easily password protect the directories
too using HTTP authorisation [1] (and even hook it in to LDAP or
suchlike very simply).

It's the curse of the PHP developer to try and use PHP to solve every
problem - we all fall fowl of it often (I've wasted years doing things
in PHP that really should have been done with a different tech).

[1] http://httpd.apache.org/docs/2.0/howto/auth.html

Regards!

Nathan
From: Al on
I use Kim's solution and take it one step forward. Htacces files can get lost or
corrupted, so....


In my config file I have the text string.

//region******** htaccess file text ********
// Code writes to /db folder; Admin mode checks file existence and text;
replaces with this if different.

$htaccessText = <<<hta
# Prevent Direct Access to MiniRegDB DB Files
<Files *>
Order Deny,Allow
Deny from all
</Files>
hta;
//endregion

In my main control file I call this function

/**
* checkHTaccessFile()
*
* Checks and restores htaccess Prevent Direct Access to MiniRegDB Program Files
*
* @param mixed $htaccessText in config file
* @return
*/
function checkHTaccessFile($htaccessText)
{
if(file_exists(MINIREG_DATA_DIR . '.htaccess') &&
file_get_contents(MINIREG_DATA_DIR . '.htaccess') == $htaccessText) return true;

file_put_contents(MINIREG_DATA_DIR . '.htaccess', $htaccessText);
return true;
}


On 2/20/2010 4:05 AM, Kim Madsen wrote:
> Michael Stroh wrote on 19/02/2010 19:19:
>> I have a site I'm working on with some data that I want to be
>> readable by anyone, but some files that I want to keep hidden from
>> outside users. Here is an example of my file structure.
>>
>> /products/data1/item_1/data.txt
> > /products/data2/item_2/data.txt
>
> since no one has suggested it then... if you're on an Apache webserver
> use a .htaccess file in data2 which contains:
>
> Deny from all
> Allow from none
>
> That will do the trick and PHP can still fetch the files in data2 and
> serve it to the user.
>