Back

Protect a file manager from public


Hi guys,

I'm using TinyMCE and Roxy Fileman to manage my files. The problem is that anyone can access the plugin through the URL since it is public (so it means to upload/delete files) whereas I want to allow it for administrators only.

The plugin is accessible via mysite.dev/assets/fileman I don't know how I can protect this route to allow it to authenticated users only.

I tried to protect my route by checking if the user is authenticated but it's like Laravel ignores the instruction

Route::any('/assets/fileman/', function(){
    die('forbidden');
});

This doesn't even have any effect.

Any idea?

Thank you

Zeeshan Chawdhary replied 9 months ago

Put it behind an Auth Middleware , see https://laravel.com/docs/5.5/authentication , section "Protecting Routes"

shad21 replied 9 months ago

Hi, thanks for your answer!

I don't really see how I could protect with a middleware. Let me explain and clarify everything:

My plugin is located at domainName/assets/fileman

It is accessible via my TinyMCE when an admin wants to create a page for instance: domainName/admin/page/create

But when you open the plugin it's a pop-up and you can also access it if you know the URL (which is domainName/assets/fileman).

My /admin routes are protected like so:

Route::group(['prefix' => 'admin', 'middleware' => ['role:admin']], function(){
    //
});

Middlewares don't seem to be the solution here ;/

Luis Terrero replied 9 months ago

I believe the auth middleware may be the solution, try to secure your route this way:

Route::get('domainName/assets/fileman', function () {
    // Only authenticated users will have access to this section
})->middleware('auth');

or

Route::get('domainName/assets/fileman', '[email protected]')->middleware('auth');

Not sure if it will work for your specific plugin but if you try to access the route directly from the browser it will check if you're authenticated first.

shad21 replied 9 months ago

Already tried, this is not working :/

domainName/assets/fileman is located in the public folder, it's a physical route, and I think Laravel cannot forbid a user to access a public folder, whatever the route is

Matthias replied 9 months ago

@shad21: Maybe using laravels built in Storage:: Facade would help to a certain extent, since then laravel manages the files and you might be able to protect them?


Sign in to participate in this thread!



We'd like to thank these amazing companies for supporting us