hello, I'm generating sensible data this way:
` File::put(storage_path() . '/invoice_' . $invoice->number . '_' . $invoice->date . '.csv', $content);
return response()->download(storage_path() . '/invoice_' . $invoice->number . '_' . $invoice->date . '.pdf');`
to allow customer to download his own invoices. Now the question: if one knows the exact path to call, like http://<app_address>/storage/invoiceXXX.pdf could be able to download every document in there.
How could I stream the download without saving the document inside storage folder?
Thanks a lot
You can take a look to the Streamed Downloads, see: https://laravel.com/docs/6.x/responses#file-downloads
It should be something like:
return response()->streamDownload($content, 'invoice_' . $invoice->number . '_' . $invoice->date . '.csv'');
Those are two questions. Tobias showed you how to stream it, but that won't solve the security problem. You should always check if the authenticated user should be able to access the page, same goes for downloads. If your question was if the user can acces the /storage folder, then the answer is no. A user can only access everything that is in the /public folder (if you configured your virtual host of your web server correctly).
Sign in to participate in this thread!
Laravel
Laravel News
Laracasts
Laravel Podcast