Securing Files over Web: Fine Grained Authorization Based File Access
Posted
by Nishant
on Stack Overflow
See other posts from Stack Overflow
or by Nishant
Published on 2010-03-21T14:08:33Z
Indexed on
2010/03/21
14:11 UTC
Read the original article
Hit count: 410
web-security
I have a system where employees can upload files. There are three ways Upload to my account in public, private or protected mode Upload to department account in public, private or protected mode Upload to organization account in public, private or protected mode where public is visible to anyone, private to the group or person only and protected to anyone in the organization.
All the files for an organization are stored in a directory say, /files/<organizationId>/, on file server like
files
+-- 234809
| +img1.jpg
| +doc1.pdf
+-- 808234
| +doc2.pdf
I am storing file-path and privacy level in DB. So, I can control whether to show link to a file URL to an user -- on a given page.
The problem is, I do not have any control over file's URL... so, if some one types the URL to img1.jpg in his browser's address bar, there is no way to know whether a logged in user is eligible to see img1.jpg.
Any suggestion?
Thanks
Nishant
© Stack Overflow or respective owner