search

ctf0 / Laravel-Media-Manager

A "Vuejs & Laravel" Media Manager With Tons of Features
MIT License
832 stars 181 forks source link

[Question] Securing files from public download #141

Closed seminarian closed 4 years ago

seminarian commented 4 years ago

In config/mediaManager.php there's a possibility to configure the used storage_disk:

    /*
     * filesystem disk
     */
    'storage_disk' => 'file-manager',

I've set up a a custom storage disk with following configuration:

        'file-manager' => [
            'driver' => 'local',
            'root' => storage_path('app/file-manager'),
        ],

The reason for this is that in our web application files should not be accessible for unauthenticated users, hence not storing in the publicdriver.

After changing this I noticed file downloads were not possible anymore and Image Editor didn't load images as well previews in other places.

Is securing files from public download not supported currently? Or am I missing something here?

Thank you for your effort on the libary and your time.

Semi

ctf0 commented 4 years ago

you should also add a url param to ur custom disk

On Fri, Mar 6, 2020, 9:34 PM seminarian notifications@github.com wrote:

In config/mediaManager.php there's a possibility to configure the used storage_disk:

/*
 * filesystem disk
 */
'storage_disk' => 'file-manager',

I've set up a a custom storage disk with following configuration:

    'file-manager' => [
        'driver' => 'local',
        'root' => storage_path('app/file-manager'),
    ],

The reason for this is that in our web application files should not be accessible for unauthenticated users, hence not storing in the public driver.

After changing this I noticed file downloads were not possible anymore and Image Editor didn't load images as well previews in other places.

Is securing files from public download not supported currently? Or am I missing something here?

Thank you for your effort on the libary and your time.

Semi

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/ctf0/Laravel-Media-Manager/issues/141?email_source=notifications&email_token=ABYLXODAF7HYQGA7KEMPEX3RGFF3DA5CNFSM4LDGQ4R2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4ITGLHLQ, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABYLXODUM37HSNFXWRHCNQLRGFF3DANCNFSM4LDGQ4RQ .

seminarian commented 4 years ago

Would this mean that the files need to be publicly accessible or can they protected via a Controller action? I've extended MediaController and am using that controller, it contains following action:

    /**
     * download file.
     *
     * @param Request $request [description]
     *
     * @return [type] [description]
     */
    public function downloadFile(Request $request)
    {
        $file = json_decode($request->file, true);
        return response()->download(storage_path('app/file-manager/'.$file['storage_path']), $file['name']);
    }

I've also added authentication middleware to all the /media/* routes. I'm relatively new on Laravel and I'm a bit confused. Could you elaborate a bit on how I should make it work?

Also the Laravel docs mention the following:

Remember, if you are using the local driver, all files that should be publicly accessible should be placed in the storage/app/public directory. Furthermore, you should create a symbolic link at public/storage which points to the storage/app/public directory.

Remember the point is that files are not publicly accessible without authentication of some sort.

ctf0 commented 4 years ago

the manager is built around the general idea of a media manager, specific cases like urs is beyond what the package can do, however thats why u r free to change the controller in any way u see fit.

here what the package can do for the access restrictions

if you think this is a limitation, PRs are welcome.