Support the ongoing development of Laravel.io →
Security Views
Last updated 7 months ago.
0
Solution

If you put a file in public folder it will be accessible to everyone who knows the file name, because nginx/apache rewrite rules used by Laravel only apply to non-existing files, so Laravel won't even be run when accessing an existing file.

So, you still have to put restricted files somewhere out of public folder. Maybe in storage folder, but ultimately it doesn't matter.

And yes, you should just use Response::download.

Make a small FileController:

class FileController extends Controller {
	public function __construct()
	{
		$this->middleware('auth');
	}

	public function getFile($filename)
	{
		return response()->download(storage_path($filename), null, [], null);
	}
}

The fourth argument of download() being null prevents the Content-Disposition header being set to attachment. So your browser won't ask you save the file, but just show it.

Then add a route:

Route::get('file/{filename}', '[email protected]')->where('filename', '^[^/]+$');

And that's it. Now, your authenticated users can download files from storage folder (but not its subfolders) by calling http://yoursite.com/file/secret.jpg. Add you can use this URL in src attribute of an image tag.

Last updated 7 years ago.
0

Xum said:

If you put a file in public folder it will be accessible to everyone who knows the file name, because nginx/apache rewrite rules used by Laravel only apply to non-existing files, so Laravel won't even be run when accessing an existing file.

So, you still have to put restricted files somewhere out of public folder. Maybe in storage folder, but ultimately it doesn't matter.

And yes, you should just use Response::download.

Make a small FileController:

class FileController extends Controller {
  public function __construct()
  {
  	$this->middleware('auth');
  }

  public function getFile($filename)
  {
  	return response()->download(storage_path($filename), null, [], null);
  }
}

The fourth argument of download() being null prevents the Content-Disposition header being set to attachment. So your browser won't ask you save the file, but just show it.

Then add a route:

Route::get('file/{filename}', '[email protected]')->where('filename', '^[^/]+$');

And that's it. Now, your authenticated users can download files from storage folder (but not its subfolders) by calling http://yoursite.com/file/secret.jpg. Add you can use this URL in src attribute of an image tag.

Perfect, this seems to work just great. Also I didn't know about the 4th argument, so that makes it even better. I set it to 'inline' and I get it to be viewed in the browser.

Things are working great now.

Thanks!

0

Great Solution!

I needed to be able to specify a folder so...

Route:

Route::get('file/{foldername}/{filename}', '[email protected]')->where('filename', '^[^/]+$');

Controller:

public function getFile($foldername,$filename)
{
    $fullpath="{$foldername}/{$filename}";
    return response()->download(storage_path($fullpath), null, [], null);
}
Last updated 5 years ago.
0

Great question and answer! if you're looking for a file within the subfolder (i.e. personal) like http://yoursite.com/file/personal/secret.jpg the root above won't work. Change the where to:

->where('filename', '^(.+)\/([^\/]+)$')
0

Sign in to participate in this thread!

Full Stack Europe

Your banner here too?

Nertskull nertskull Joined 3 Apr 2015

Moderators

We'd like to thank these amazing companies for supporting us

Your logo here?

Laravel.io

The Laravel portal for problem solving, knowledge sharing and community building.

© 2022 Laravel.io - All rights reserved.