Securing Files over Web: Fine Grained Authorization Based File Access

Posted by Nishant on Stack Overflow See other posts from Stack Overflow or by Nishant
Published on 2010-03-21T14:08:33Z Indexed on 2010/03/21 14:11 UTC
Read the original article Hit count: 410

Filed under:

I have a system where employees can upload files. There are three ways Upload to my account in public, private or protected mode Upload to department account in public, private or protected mode Upload to organization account in public, private or protected mode where public is visible to anyone, private to the group or person only and protected to anyone in the organization.

All the files for an organization are stored in a directory say, /files/<organizationId>/, on file server like

files
+-- 234809
| +img1.jpg
| +doc1.pdf
+-- 808234
| +doc2.pdf

I am storing file-path and privacy level in DB. So, I can control whether to show link to a file URL to an user -- on a given page.

The problem is, I do not have any control over file's URL... so, if some one types the URL to img1.jpg in his browser's address bar, there is no way to know whether a logged in user is eligible to see img1.jpg.

Any suggestion?

Thanks
Nishant

© Stack Overflow or respective owner

Related posts about web-security